[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Steve Grubb
sgrubb at redhat.com
Wed Oct 4 16:34:20 UTC 2006
On Tuesday 03 October 2006 17:30, Karl MacMillan wrote:
> > I meant with the audit tools, so using auditctl to add/remove rules and
> > ausearch for looking for specific record types.
>
> As I said in my other mail the searching should be fine. Why does the
> addition or removal need to be handled by auditctl?
Because we want to teach admins to use the audit system to...audit. Its really
awkward to tell them that you can audit almost everything, but if you need to
do this one other thing, you need to change your policy to do it.
Also, the audit system records changes to itself so that you can see when that
rule disappeared from the config. Doing it in policy, all you get a policy
loaded message which doesn't tell you what in the policy changed.
-Steve
More information about the redhat-lspp
mailing list