From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: SELinux for auditing
Date: Fri, 2 Feb 2007 15:12:32 -0500
Message-ID: <200702021512.32866.sgrubb@redhat.com>
References: <1170202290.4168.14.camel@localhost.localdomain>
	<1170341940.12293.124.camel@moss-spartans.epoch.ncsc.mil>
	<1170419837.6772.14.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1170419837.6772.14.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 02 February 2007 07:37, Matthew Booth wrote:
> How much of the functionality is in userspace, and how much requires extra
> kernel bits?

The identification of syscalls that becomes an event is done by the kernel. 
Userspace just send rules into the kernel and records what the kernel sees.

> In short, can I recompile the RHEL5 auditd for RHEL4 and expect to get
> additional functionality?

Not really for 2 reasons. One being that the watch technique is totally 
different and incompatible between current user space and the old 1.0.x 
series. The other being that the interesting work is done by the kernel.

That said, there is an update to RHEL4 audit (1.0.15-2) that introduces the 
realtime interface from RHEL5 that should be part of the U5 update. That 
could be handy for moving events off the machine in realtime.

-Steve