On Wed, 2006-03-15 at 14:54 -0500, Steve Grubb wrote:
On Wednesday 15 March 2006 14:31, Linda Knippers wrote:
> I don't understand why this record is a good idea.
Because it gives you extra information to search on. Suppose you wanted to see
any failed log messages for auid 501. Without the partial record, you won't
have the information for ausearch to key on.
So perhaps that information should be added to the avc messages? auid
is easy enough. We'd still lose exe=, paths, etc, but this entire
scenario only occurs when there are no audit rules at all, right, so for
any evaluated system, we would still have the full syscall audit records
emitted since they would have audit rules?
--
Stephen Smalley
National Security Agency