On Mon, Feb 10, 2014 at 9:47 AM, Steve Grubb <[email protected]> wrote: > On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote: >> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM >> it would have been a lot nicer if audit calls just immediately emitted >> audit records, completely independently of the syscall machinery. > > Because the majority of people needing audit need syscall records for it to > make any sense. The auxiliary records generally report on the object of the > syscall. We still require information about who was doing something, what they > were doing, and what the result was. > > Even if you just get the AVC's, you still don't know what happened. If you get > a deny record, was it really denied? The system could have been in permissive > mode and the syscall succeeded. You only get the real decision when you have > syscall records. >
Fair enough. I'll see if I can turn this into something more workable. --Andy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
