[PATCH] audit keys: support for multiple audit keys
Steve Grubb
sgrubb at redhat.com
Fri Mar 12 19:40:14 UTC 2010
On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote:
> I knew that more keys can be added with the 0x01 separator. However, this
> patch supports different types of keys and plugins could recognize audit
> events using them.
>
> For example, I'm working on reactive audit and I need to separate normal
> audit events from those generated by reactive rules and find out which
> reaction(s) should
> be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY)
> and audit events would include reaction identifiers such as
> react="reaction"
OK, I see. What I would suggest is a mechanism with a new name. One thing I
will point out is that the kernel prefers to work off of integers instead of
strings. Strings are for people, numbers are for the computer. (E.g. root vs
0.) So, I would consider calling this something else and using integers so
that comparisons are faster.
-Steve
More information about the Linux-audit
mailing list