From mboxrd@z Thu Jan 1 00:00:00 1970 From: Klaus Heinrich Kiwi Subject: Re: Using the audit system for non-security events Date: Wed, 28 May 2008 18:00:34 -0300 Message-ID: <1212008434.30699.6.camel@klausk.br.ibm.com> References: <1211911726.3079.35.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1211911726.3079.35.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com, dwmw2@redhat.com, harald@redhat.com List-Id: linux-audit@redhat.com On Tue, 2008-05-27 at 14:08 -0400, Eric Paris wrote: > I want thoughts on such a proposal. Obviously I'm going to ahve to > put > some real thought/care into how to handle 'overlapping' rules between > security and non-security and stuff like that, but as a general idea > what do people think? At the risk of sounding like "we should take over the world", I think it actually should be a good thing to have more users relying on the audit subsystem, so I liked the idea. Previously, on this same mailing list, we once discussed about using fields to route records across different systems. Perhaps it's time for us to have a real look at a more generic solution for this? (Not that I'm against adding another field, but since record routing is necessary for several reasons, wouldn't it be desirable to have the right infrastructure in place to handle those, say, in auditctl?) -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center