Re: key in syscall audit rules.
On Wed, May 18, 2005 at 05:01:50PM +0100, David Woodhouse wrote:
It doesn't actually need to be mapped by auditd before it hits
the log.
Storing it as-is in the log probably makes more sense.
Storing only numbers makes it very hard to interpret older log entries;
the mapping table can potentially change at any time, and there's no sane
way to track the history of all changes to watches to do that.
I don't object to storing only numbers in the kernel and mapping in
userspace, but the mapping back to strings would need to happen before
they end up in the log.
-Klaus