Re: is this message necessary?

Wednesday, 9 November 2005

For some reason I was thinking that there was more information in the
audit log when a rule or watch was added but there isn't.  Since all
the information is known at the point where the current audit records
are generated (I think that's the case), couldn't we just include more
information in the record?  I don't see the userspace connection here
but I could be missing something.

-- ljk

Steve Grubb wrote:
...
 On Wednesday 09 November 2005 18:15, Linda Knippers wrote:

>I just noticed the message is similarly vague when system call
>rules are removed.  It just says "removed an audit rule".

 So, who wants to update this? I agree that we could at least put the list name 
 & syscall number(s) into it or "all" if that applies. There's no way
the 
 kernel should do the whole thing since that duplicates userspace. Just the 
 syscall & list name would be enough to guess the rule in most cases.

 -Steve

 --
 Linux-audit mailing list
 Linux-audit(a)redhat.com
 https://www.redhat.com/mailman/listinfo/linux-audit

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: is this message necessary?