[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.6.10 released



* Debora Velarde (dvelarde us ibm com) wrote:
> > > Also, we need to decide what the default behavior should be.
> > > For our tests, there would be considerably less impact if:
> > > "auditctl -a entry,always -S chmod"
> > > would result in two rules being added:
> > >       auditctl -a entry,always -S chmod -F arch=32
> > >       auditctl -a entry,always -S chmod -F arch=64
> 
> > This adds 2 rules for my machine which is not 64 bit capable. Every rule
> added
> > slows the whole system down everytime there's the potential to generate
> an
> > audit event.
> 
> Is it possible for auditctl to determine if it is on a 64bit capable
> system, if so it will add both rules.
> Otherwise it will only add the arch=32 bit rule?

I'd expect that adding a rule with arch=64 on a 32bit machine would fail.
But, arch=32/64 doesn't look like the right solution.  We are exposing
the underlying architecture which is more granular that 32 vs. 64 bit.
It includes various architectures as well.  Why not keep this value
the same as the output in the audit message?  And if it's done as it
currently is, the records could (theoretically) be parsed on a machine
with a different cpu arch than the machine that generated the record.

thanks,
-chris


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]