user audits
Steve Grubb
sgrubb at redhat.com
Fri Dec 3 15:54:35 UTC 2010
On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
> Would there be any issue with adding a couple new trusted_application
> event types? Would any kernel mods be needed to support this?
Are these events originating in user space or the kernel? I might be convinced to set
aside the block of IDs from 2600 - 2699 for local use if a suitable framework were
written. This would mean that there is some config file that holds the local mapping of
event IDs to text and ausearch/report/parse will need to be patched to understand
local definitions.
Would you be interested in this approach?
-Steve
More information about the Linux-audit
mailing list