From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit keys: support for multiple audit keys Date: Fri, 12 Mar 2010 14:40:14 -0500 Message-ID: <201003121440.14417.sgrubb@redhat.com> References: <58f704b21003100924x5ff296a1tb54a96b18ebaf20b@mail.gmail.com> <201003120745.31795.sgrubb@redhat.com> <58f704b21003120725xf6c6078i90982a6baf7ccac0@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <58f704b21003120725xf6c6078i90982a6baf7ccac0@mail.gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote: > I knew that more keys can be added with the 0x01 separator. However, this > patch supports different types of keys and plugins could recognize audit > events using them. > > For example, I'm working on reactive audit and I need to separate normal > audit events from those generated by reactive rules and find out which > reaction(s) should > be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY) > and audit events would include reaction identifiers such as > react="reaction" OK, I see. What I would suggest is a mechanism with a new name. One thing I will point out is that the kernel prefers to work off of integers instead of strings. Strings are for people, numbers are for the computer. (E.g. root vs 0.) So, I would consider calling this something else and using integers so that comparisons are faster. -Steve