Re: New Audit types

On Wednesday 02 November 2005 11:43, Matt Anderson wrote: Just a generic question -- do we need to patch cat, cp, rsync, scp, star, ... to have these, too? What if they do: file=`cat secret` echo $file > /mnt/unlabeled-device/file Would it be reasonable to expect the shell script trigger this event? If so, would we need to patch all these apps or should this be done via kernel mechanism? If catching this is reasonable...what about anything else like perl, python, expect, etc. These seem to be user space oriented, so I'll add these to libaudit.h. I think we also need these: AUDIT_LABELED_IMPORT AUDIT_UNLABELED_IMPORT But as to whether they are kernel or userspace message types will depend on discussing the first paragraph. -Steve