Re: [RFC PATCH] specs: update message dictionary with source column

On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > On 2017-07-24 11:52, Steve Grubb wrote: >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote: >> > Add a column to indicate the source of the message, including indicating >> > whether or not it is related to syscalls. >> > >> > Column name: SOURCE >> > Key: >> > CTL Control messages, usually initiated by audit daemon. >> >> Most of these come from auditctl. Auditd only sends enable and setpid. > > I had considered auditctl as part of the audit daemon, as opposed to > pam, systemd, vsftpd et al that supply user event messages, though I > suppose even systemd wants to play audit controller too ... I think trying to chase down which application is trying to manage the audit subsystem is a losing battle. In fact, I honestly would probably shrink this "source" list down to just a few possible values: kernel, userspace, and control. I'm not convinced that granularity below this level is particularly useful, and could be confusing.

paul moore