Re: auditd design decision
On Saturday 08 January 2005 15:09, Timothy R. Chavez wrote:
I think it'd be easy for the time being to insert watch points
at
auditd start up and remove watch points at auditd shut down. Or if
you prefer not to add code to auditd, we can do something like:
Insert watch points:
./auditctl -W watch.list
Remove watch points:
./auditctl -w watch.list
I view the audit rules in much the same way as IP Tables. I don't think the
daemon should do the loading. What I was going to do was create an option to
take the commandline options from a file. It would read the file to its end
loading a rule with each newline.
You might want to create the syntax for loading 1 watch point. The file option
will load everything for you. This is the direction I'm planning to take the
initscripts.
-Steve