Watch Performance
Linda Knippers
linda.knippers at hp.com
Tue Apr 11 21:21:01 UTC 2006
Steve Grubb wrote:
> I also don't like the idea of handling this by all those syscalls or using
> "all" because user space tools could get out of sync with the kernel. On any
> kernel upgrade, there could be a new syscall that allows file system access.
> The user space tools wouldn't know about it and wouldn't provide automatic
> coverage.
Maybe we ought to have a way to specific all system calls of a
particular type and let the kernel audit code decides which ones
those are. We could group file operations, mode changes, ownership
changes, privilege changes, execs, time changes, etc. That way
admins don't necessarily have to know all the different ways one
might do a chown, lchown, fchown, etc. And maybe there should be
an 'all' that really means 'all' and not just all that the user
space tools know about.
-- ljk
More information about the Linux-audit
mailing list