Re: key in syscall audit rules.
On Wed, May 18, 2005 at 04:42:11PM -0400, Steve Grubb wrote:
On Wednesday 18 May 2005 16:33, Casey Schaufler wrote:
> We've hashed the notion of intellegence in audit
> daemons before, and the danger that mapping in
> real time will fail remains
We aren't really talking about doing anything in the audit daemon. It doesn't
have time. We are discussing having ausearch interpret the audit key with the
current rules vs the kernel emitting it as part of the message so there's no
version control issues later.
I'm confused, I thought we had agreed that this needs to be in the audit
daemon since there's no easy way for ausearch to make sense of entries
older than the current ruleset. I don't think that it would be a
noticeable performance hit, it's just a matter of looking up the numbered
entry in a string array and appending it to the record.
-Klaus