user audits

[Steve Grubb]

On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
> Would there be any issue with adding a couple new trusted_application
> event types? Would any kernel mods be needed to support this?

Are these events originating in user space or the kernel? I might be convinced to set 
aside the block of IDs from 2600 - 2699 for local use if a suitable framework were 
written. This would mean that there is some config file that holds the local mapping of 
event IDs to text and ausearch/report/parse will need to be patched to understand 
local definitions.

Would you be interested in this approach?
 
-Steve