Re: [PATCH] change lspp inode auditing
On Wednesday 29 March 2006 14:34, Valdis.Kletnieks(a)vt.edu wrote:
> In that case, the patch writes out the sid number. Given a sid,
is there
> a way to find it in the policy on disk? If not, that might be useful to
> have.
The problem is that by the time you go to snarf it out of the policy on
disk, it may no longer match the policy in effect at the time of the record
generation.
That should be handled by site configuration control. Assuming that they are
careful to keep old policy around...can it be correlated?
The hole probably isn't *that* bad if auditd is doing the
grovelling.
Auditd has no time to do any correlation. This would have to be done
post-mortem just like uid conversion is done. I think this is an exceptional
condition and just want to make sure we can close the loop manually if this
ever happened.
-Steve