Re: Watch Performance
Steve Grubb wrote:
I also don't like the idea of handling this by all those syscalls
or using
"all" because user space tools could get out of sync with the kernel. On any
kernel upgrade, there could be a new syscall that allows file system access.
The user space tools wouldn't know about it and wouldn't provide automatic
coverage.
Maybe we ought to have a way to specific all system calls of a
particular type and let the kernel audit code decides which ones
those are. We could group file operations, mode changes, ownership
changes, privilege changes, execs, time changes, etc. That way
admins don't necessarily have to know all the different ways one
might do a chown, lchown, fchown, etc. And maybe there should be
an 'all' that really means 'all' and not just all that the user
space tools know about.
-- ljk