Re: audit 0.6.10 released
On Tuesday 05 April 2005 17:45, Debora Velarde wrote:
I'm partial to:
auditctl -a entry,always -S chmod -F arch=64
auditctl -a entry,always -S chmod -F arch=32
Me too...less typing. What I was thinking about doing was treating it like
syscall. If you give it a number, it uses that. Otherwise it translates it
into the correct number and uses that.
Something like 0x800000000 would be okay, if:
1. we document it in the man page what each value means
Right. But we need to tell them how to get the elf machine type.
2. auditctl is smart enough to understand that 0x8000 is the same as
0x800000000.
huh?
Also, we need to decide what the default behavior should be.
For our tests, there would be considerably less impact if:
"auditctl -a entry,always -S chmod"
would result in two rules being added:
auditctl -a entry,always -S chmod -F arch=32
auditctl -a entry,always -S chmod -F arch=64
This adds 2 rules for my machine which is not 64 bit capable. Every rule added
slows the whole system down everytime there's the potential to generate an
audit event.
Also from the user point of view, if they want to audit chmod
syscalls,
they more likely want to audit all of them, not just 32bit or 64bit
versions of them.
I suspect that a user on a 64 bit machine may think this way. Its waste for 32
bit machines.
-Steve