On Mon, Feb 10, 2014 at 9:47 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote:
> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM
> it would have been a lot nicer if audit calls just immediately emitted
> audit records, completely independently of the syscall machinery.
Because the majority of people needing audit need syscall records for it to
make any sense. The auxiliary records generally report on the object of the
syscall. We still require information about who was doing something, what they
were doing, and what the result was.
Even if you just get the AVC's, you still don't know what happened. If you get
a deny record, was it really denied? The system could have been in permissive
mode and the syscall succeeded. You only get the real decision when you have
syscall records.
Fair enough.
I'll see if I can turn this into something more workable.
--Andy