Re: Using the audit system for non-security events

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com, dwmw2@redhat.com, harald@redhat.com
Subject: Re: Using the audit system for non-security events
Date: Wed, 28 May 2008 18:00:34 -0300	[thread overview]
Message-ID: <1212008434.30699.6.camel@klausk.br.ibm.com> (raw)
In-Reply-To: <1211911726.3079.35.camel@localhost.localdomain>

On Tue, 2008-05-27 at 14:08 -0400, Eric Paris wrote:
> I want thoughts on such a proposal.  Obviously I'm going to ahve to
> put
> some real thought/care into how to handle 'overlapping' rules between
> security and non-security and stuff like that, but as a general idea
> what do people think?

At the risk of sounding like "we should take over the world", I think it
actually should be a good thing to have more users relying on the audit
subsystem, so I liked the idea.

Previously, on this same mailing list, we once discussed about using
fields to route records across different systems. Perhaps it's time for
us to have a real look at a more generic solution for this? (Not that
I'm against adding another field, but since record routing is necessary
for several reasons, wouldn't it be desirable to have the right
infrastructure in place to handle those, say, in auditctl?)

 -Klaus

-- 
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center

next prev parent reply	other threads:[~2008-05-28 21:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-27 18:08 Using the audit system for non-security events Eric Paris
2008-05-27 19:11 ` Linda Knippers
2008-05-28 21:00 ` Klaus Heinrich Kiwi [this message]
2008-05-28 21:24   ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1212008434.30699.6.camel@klausk.br.ibm.com \
    --to=klausk@linux.vnet.ibm.com \
    --cc=dwmw2@redhat.com \
    --cc=eparis@redhat.com \
    --cc=harald@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox