I'd first like to say that I am a big fan of this auditing software, and
it has made life good for me (I am currently working on a project where
we are investigating system call behavior to see if any optimizations
are possible). I know this project is still in its early stages, but I
do have some suggestions:
1. I tried to do 'kill -HUP auditd' to get the daemon to re-read the
configuration file (in order to make it write to a new log file in case
the original got too big), but this did not work. As I understand it,
this is should be the expected behavior for daemons.
2. The name of the process (or command) which invoked the system call is
not logged (tsk->comm). I think it would not only be good to know
exactly what invoked it, but to know if the process associated with a
particular PID changes (if process P1 has PID N, invokes some system
calls, exits, and then process P2 gets PID N, invokes other system
calls, then P1 and P2 will be indistinguishable).
3. Maybe a way to set the log format would be helpful, so that you could
include only the information you need and keep log sizes to a minimum.
4. Since we can trace both entries and exits, there should be a way to
know what is an entry and what is an exit (I'm pretty sure you can't do
this right now). Also, it would be good if you could somehow correlate
entries and exits.
Avishay Traeger