Karl MacMillan wrote: > Linda Knippers wrote: > >> Joshua Brindle wrote: >> >> >>> Linda Knippers wrote: >>> >>> > > <snip> > >>>> If we go the auditallow route then we lose some audit record management >>>> features, like the ability to enable/disble/search for these records, >>>> don't we? Do we care? >>> >>> enable and disable with a boolean >>> >>> searching? surely you can search avc records.. >> >> I meant with the audit tools, so using auditctl to add/remove rules and >> ausearch for looking for specific record types. >> > > As I said in my other mail the searching should be fine. Why does the > addition or removal need to be handled by auditctl?
There was a discussion a long, long time about about how administrators should manage what gets into the audit logs, whether its with the audit tools, the policy or both. There are explicit message types for alot of management operations so that the admin can decide whether to get them and the tools make it easy to search for. If changing the ipsec label configuration is just an AVC message, it will be different from just about everything else. It might be easy, but is it what we want? I wish sgrubb were reading mail today. I think this is something that he cares about, at least he did the last time we had this conversation. -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
