[PATCH] support for context based audit filtering
Steve Grubb
sgrubb at redhat.com
Fri Mar 10 22:03:36 UTC 2006
On Friday 10 March 2006 16:57, Amy Griffis wrote:
> You may want to audit_log a message indicating that the audit rules
> were updated due to policy reload. And in the case when you remove a
> rule because you couldn't update it, you might want to log that too.
Do we really need to audit_log that? I would think that syslog is enough. We
already have an event that a policy load occurred, can it be assumed that all
these were updated? We do not do audit_log for other things that may or may
not exist. For example, what if you put a rule in for uid=5000 when you meant
500. The kernel does not say anything.
-Steve
More information about the Linux-audit
mailing list