reactive audit proposal
Steve Grubb
sgrubb at redhat.com
Wed May 13 18:03:27 UTC 2020
On Wednesday, May 13, 2020 1:17:02 PM EDT Joe Wulf wrote:
> What you propose is a sound enhancement.
> I have no preference for the choice between incorporate this in the audit
> daemon versus a plugin.What would be the effort to switch from one to the
> other if later on you should find the first choice wasn't as optimal?
Well, the main idea for a plugin is not to stop processing events. Busy
systems need to keep focused on unloading the kernel backlog.
> I wonder about the case where a system is booted with new media already
> attached.
During initialization, it runs through the mount table just as if the mount
table was changed. So, it has the opportunity to apply rules during init. I'm
borrowing code from fapolicyd which has this nicely solved. (It's one of my
other projects.)
-Steve
More information about the Linux-audit
mailing list