From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Monitoring events
Date: Thu, 8 Jun 2006 11:23:21 -0400
Message-ID: <200606081123.21710.sgrubb@redhat.com>
References: <44882C43.70704@ornl.gov> <200606081039.07731.sgrubb@redhat.com>
	<44883AD8.9070307@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <44883AD8.9070307@ornl.gov>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 08 June 2006 10:57, Steve wrote:
> So, assuming I installed RHEL4, would this "key tag" allow all events to
> be tied to rules, or just the file watch events?

There has been some talk about adding the "key" to LSPP kernels. So this might 
be available eventually. (You are testing against a kernel that is under 
development and not feature complate.)

RHEL4 on the otherhand has an older audit system. I have not backported the 
audit dispatcher interface to the 1.0.X series. It shouldn't be difficult and 
might be something I do for 1.0.15.

-Steve