Re: [PATCH] auditfs updates to .46
On Thu, 2005-05-26 at 08:49 -0400, Steve Grubb wrote:
This seems like a source of unintended error. How do we let the
system admin
know that they've lost events because they needed to specify possible?
The same way we let the sysadmin know that they've lost events because
they needed to specify a rule for whatever they wanted to watch -- i.e.
not at all, because it's not up to us to second-guess possible errors in
the configuration.
Could an audit context be created on demand?
Perhaps, but not nicely. And by that time we've already failed to log
the syscall information at syscall_audit_entry() anyway.
We could perhaps create one and record partial information, but I'm not
sure I see the point. If the admin said that this task wasn't to be
audited, why would we disobey?
The fact that it's a watched inode would indicate that auditing
is
intended.
Conversely, the fact that it's a task for which no auditing was
specified would indicate that auditing is not intended.
--
dwmw2