Re: Getting the program name in audit messages
On Fri, 2005-04-01 at 09:51 -0500, Steve Grubb wrote:
If we go this route, I'd like to push my original patch to get
comm and
syscall information in the avc messages. Dan has been wanting an improvement
in that area for quite a while.
IMHO, that's different - it is one thing to say that we won't remove any
information from the existing avc messages even if we duplicate it in
the syscall auditing for compatibility; it is another thing to add new
information to the avc messages that is better suited to the syscall
auditing. If Dan or others want new information, it is reasonable to
tell them to enable syscall auditing (after adding that information to
it). Telling people that they have to enable syscall auditing and
correlate multiple audit messages to retain old information is more
problematic.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency