Re: splitting up auditctl
On Friday 23 September 2005 14:47, Timothy R. Chavez wrote:
For instance, adding and removing rules could be done by the
'aurule'
command, leaving 'auditctl' to handle things like backlog, rate limits,
enabling and disabling of the audit subsystem, etc. I have to admit, I
quite like the idea.
aurule would need to be able to increase the backlog limit and set failure
mode in order to handle the capp rules that is part of the package. So, you
wouldn't really gain much.
I'm not a big fan of all-in-wonder tools and that if we could, we
should
split auditctl up before it turns into a menagerie of ideas that are linked
simply by the fact they interact or utilize the audit subsystem in some
way, shape, or form.
auditctl has a very simple mission. Load, delete, and list rules. Nothing
else. It will not be growing in the future other than to accommodate new rule
syntax. I would like to get rid of the "-t" option as I feel it doesn't fit
what auditctl should do.
I guess when you think about it, auditctl is aurule.
-Steve