Re: user audits
On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
Would there be any issue with adding a couple new
trusted_application
event types? Would any kernel mods be needed to support this?
Are these events originating in user space or the kernel? I might be convinced to set
aside the block of IDs from 2600 - 2699 for local use if a suitable framework were
written. This would mean that there is some config file that holds the local mapping of
event IDs to text and ausearch/report/parse will need to be patched to understand
local definitions.
Would you be interested in this approach?
-Steve