Re: audit 0.6.10 released
> 2. auditctl is smart enough to understand that 0x8000 is the
same as
> 0x800000000.
huh?
Nevermind, not important if we go with the
'arch=64' 'arch=32' idea.
> Also, we need to decide what the default behavior should be.
> For our tests, there would be considerably less impact if:
> "auditctl -a entry,always -S chmod"
> would result in two rules being added:
> auditctl -a entry,always -S chmod -F arch=32
> auditctl -a entry,always -S chmod -F arch=64
This adds 2 rules for my machine which is not 64 bit capable. Every
rule
added
slows the whole system down everytime there's the potential to
generate
an
audit event.
Is it possible for auditctl to determine if it is on a 64bit capable
system, if so it will add both rules.
Otherwise it will only add the arch=32 bit rule?
> Also from the user point of view, if they want to audit chmod
syscalls,
> they more likely want to audit all of them, not just 32bit or 64bit
> versions of them.
I suspect that a user on a 64 bit machine may think this way. Its
waste
for 32
bit machines.
I realize our evaluation isn't the only thing
to consider. But, most of
the systems in our evaluation are 64bit.
-debbie
Attachments:
- attachment.html (text/html — 1.5 KB)