On Tuesday 03 October 2006 17:30, Karl MacMillan wrote: > > I meant with the audit tools, so using auditctl to add/remove rules and > > ausearch for looking for specific record types. > > As I said in my other mail the searching should be fine. Why does the > addition or removal need to be handled by auditctl?
Because we want to teach admins to use the audit system to...audit. Its really awkward to tell them that you can audit almost everything, but if you need to do this one other thing, you need to change your policy to do it. Also, the audit system records changes to itself so that you can see when that rule disappeared from the config. Doing it in policy, all you get a policy loaded message which doesn't tell you what in the policy changed. -Steve -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
