Re: [PATCH] audit keys: support for multiple audit keys
On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote:
I knew that more keys can be added with the 0x01 separator. However,
this
patch supports different types of keys and plugins could recognize audit
events using them.
For example, I'm working on reactive audit and I need to separate normal
audit events from those generated by reactive rules and find out which
reaction(s) should
be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY)
and audit events would include reaction identifiers such as
react="reaction"
OK, I see. What I would suggest is a mechanism with a new name. One thing I
will point out is that the kernel prefers to work off of integers instead of
strings. Strings are for people, numbers are for the computer. (E.g. root vs
0.) So, I would consider calling this something else and using integers so
that comparisons are faster.
-Steve