Watch Performance
Amy Griffis
amy.griffis at hp.com
Fri Apr 21 15:01:04 UTC 2006
Klaus Weidner wrote: [Mon Apr 17 2006, 04:06:56PM EDT]
> On Mon, Apr 17, 2006 at 10:27:34AM -0500, Timothy R. Chavez wrote:
> > Maybe this is a completely stupid thought, but what about the option of
> > adding a per-syscall filter list table, indexed by system-call number.
>
> That's how LAuS worked... You'd need to support multiple lists to handle
> multiple personalities (ie 32bit code running on x86_64).
>
> The amount of space used isn't too bad; it would also be possible to use
> reference counting to share entries for identical rules.
This approach makes a lot of sense to me. I think it would be a good
next-step for audit filtering.
More information about the Linux-audit
mailing list