[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: is this message necessary?



For some reason I was thinking that there was more information in the
audit log when a rule or watch was added but there isn't.  Since all
the information is known at the point where the current audit records
are generated (I think that's the case), couldn't we just include more
information in the record?  I don't see the userspace connection here
but I could be missing something.

-- ljk

Steve Grubb wrote:
> On Wednesday 09 November 2005 18:15, Linda Knippers wrote:
> 
>>I just noticed the message is similarly vague when system call
>>rules are removed.  It just says "removed an audit rule".
> 
> 
> So, who wants to update this? I agree that we could at least put the list name 
> & syscall number(s) into it or "all" if that applies. There's no way the 
> kernel should do the whole thing since that duplicates userspace. Just the 
> syscall & list name would be enough to guess the rule in most cases.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]