Re: audit 0.6.10 released
* Debora Velarde (dvelarde(a)us.ibm.com) wrote:
> > Also, we need to decide what the default behavior should
be.
> > For our tests, there would be considerably less impact if:
> > "auditctl -a entry,always -S chmod"
> > would result in two rules being added:
> > auditctl -a entry,always -S chmod -F arch=32
> > auditctl -a entry,always -S chmod -F arch=64
> This adds 2 rules for my machine which is not 64 bit capable. Every rule
added
> slows the whole system down everytime there's the potential to generate
an
> audit event.
Is it possible for auditctl to determine if it is on a 64bit capable
system, if so it will add both rules.
Otherwise it will only add the arch=32 bit rule?
I'd expect that adding a rule with arch=64 on a 32bit machine would fail.
But, arch=32/64 doesn't look like the right solution. We are exposing
the underlying architecture which is more granular that 32 vs. 64 bit.
It includes various architectures as well. Why not keep this value
the same as the output in the audit message? And if it's done as it
currently is, the records could (theoretically) be parsed on a machine
with a different cpu arch than the machine that generated the record.
thanks,
-chris