Re: key in syscall audit rules.
On Wednesday 18 May 2005 16:33, Casey Schaufler wrote:
We've hashed the notion of intellegence in audit
daemons before, and the danger that mapping in
real time will fail remains
We aren't really talking about doing anything in the audit daemon. It doesn't
have time. We are discussing having ausearch interpret the audit key with the
current rules vs the kernel emitting it as part of the message so there's no
version control issues later.
-Steve