Re: [RFC PATCH] specs: update message dictionary with source column
On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2017-07-24 11:52, Steve Grubb wrote:
> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> > Add a column to indicate the source of the message, including indicating
> > whether or not it is related to syscalls.
> >
> > Column name: SOURCE
> > Key:
> > CTL Control messages, usually initiated by audit daemon.
>
> Most of these come from auditctl. Auditd only sends enable and setpid.
I had considered auditctl as part of the audit daemon, as opposed to
pam, systemd, vsftpd et al that supply user event messages, though I
suppose even systemd wants to play audit controller too ...
I think trying to chase down which application is trying to manage the
audit subsystem is a losing battle. In fact, I honestly would
probably shrink this "source" list down to just a few possible values:
kernel, userspace, and control. I'm not convinced that granularity
below this level is particularly useful, and could be confusing.
--
paul moore
www.paul-moore.com