My comments are more from a log user (not developer) perspective. We are
exporting close to 10GB/day of mostly auditd logs. This will potentially go
upto 20GB/day next year.
I'd prefer the ability to translate all auditd logs before they are written
to disk. I believe this is what you have
On Wed, 09 Dec 2015 12:43:37 +1100
Burn Alting wrote:
> On Tue, 2015-12-08 at 19:28 -0500, Paul Moore wrote:
> > On Tuesday, December 08, 2015 03:25:22 PM Steve Grubb wrote:
> > > On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> > > > On Tue, Dec 8, 2015 at
On Thu, Dec 10, 2015 at 5:49 PM, Steve Grubb wrote:
> On Wed, 09 Dec 2015 12:43:37 +1100
> Burn Alting wrote:
>
>> Steve,
>>
>> Can you mock up some examples of an 'enriched' event showing how it is
>> different from what we have now.
>
> type=LOGIN
I guess I should have CCed the linux-audit mailing list from the start.
As said in my initial mail (see bellow) wheb SELinux user object manager
are reloading the policy, an audit message with a wrong type is logged
USER_AVC vs USER_MAC_POLICY_LOAD.
Le 06/11/15 17:29, Stephen Smalley a écrit