Re: key in syscall audit rules.
On Thursday 19 May 2005 08:17, David Woodhouse wrote:
Mangling strings with purely cosmetic data in them is not a task for
the
kernel. I'd suggest that it isn't a task for auditd either.
There is another reason why text strings are preferable. It may take 5-6 audit
rules to cover a scenario. How do you know these rules go together to cover a
scenario when you are doing post-mortem analysis? Also, the analysis may be
done on a different machine from the one the data was collected on. I can
also see that we may have a combination of filesystem and syscall rules that
go together to cover a scenario.
-Steve