Adding a key to syscall rules
Timothy R. Chavez
tinytim at us.ibm.com
Mon May 2 17:55:10 UTC 2005
On Mon, 2005-05-02 at 13:37 -0400, Steve Grubb wrote:
> On Monday 02 May 2005 12:06, Timothy R. Chavez wrote:
> > I like this idea, it certainly doesn't hurt to have.
>
> Its basically adding something thats in filesystem auditing to syscall to get
> symmetry back. Its out of balance now.
>
> > What's your time frame for introducing new functionality to auditctl?
>
> Probably later this week. I'm planning to release 0.7.3 today or tomorrow
> morning with your filesystem list patch + a few more things implemented in
> ausearch.
>
We need to freeze development shortly with regards to the CAPP eval. I
can't speak for the IBM test team (and they should really speak up), but
I suspect that adding another field to the audit record is probably not
feasible due to time and resource constraints on our part.
I'd imagine having this field would be tremendously helpful for the
ausearch utility, but how necessary is it?
-tim
More information about the Linux-audit
mailing list