Re: key in syscall audit rules.
On Wed, 2005-05-18 at 10:28 -0500, Timothy R. Chavez wrote:
Well "9" (or rather a 32b/64b hash) could map to something
in a userland table
of sorts which would produce "attempted-shadow-write" before it got to the
log. There's most definitely a space savings here and we shouldn't be so
free to use kernel memory as we do user memory, but is it really worth all
the extra complexity to try to decipher the meaning of "9" in userland?
IMHO, no. *shrug*
Agreed. Can you change the auditfs patch to use numeric keys in the next
incarnation, please? This kind of thing really doesn't live in the
kernel.
It doesn't actually need to be mapped by auditd before it hits the log.
Storing it as-is in the log probably makes more sense.
--
dwmw2