On 06/11/2017 12:41, Laurent Bigonville wrote: > The proper way to monitor the audit log would be to use audispd and > create a daemon responding to the events (this is what setroubleshoot is > doing). > > Parsing the logs manually is meh (especially if you take into account > that the kernel is not using the proper audit event id)
While I agree it's the Right Thing To Do, right now aa-notify just parses the log and it works OK. It just needs the proper permissions on the log to do that without being root. Can't we implement the permission solution as a first step ? Even if it's not a perfect solution, it just works, and I don't see any harmful side-effect - that's what the adm group is for, IMO. Of course, please correct me if I'm wrong ! Cheers, -- nodens
