Re: [PATCH] support for context based audit filtering
On Friday 10 March 2006 16:57, Amy Griffis wrote:
You may want to audit_log a message indicating that the audit rules
were updated due to policy reload. And in the case when you remove a
rule because you couldn't update it, you might want to log that too.
Do we really need to audit_log that? I would think that syslog is enough. We
already have an event that a policy load occurred, can it be assumed that all
these were updated? We do not do audit_log for other things that may or may
not exist. For example, what if you put a rule in for uid=5000 when you meant
500. The kernel does not say anything.
-Steve