From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: Watch Performance
Date: Tue, 11 Apr 2006 17:21:01 -0400
Message-ID: <443C1DBD.5040103@hp.com>
References: <200604081221.58080.sgrubb@redhat.com>	<200604110626.26843.sgrubb@redhat.com>	<20060411161141.GA16506@zk3.dec.com>
	<200604111701.23649.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200604111701.23649.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb wrote:

> I also don't like the idea of handling this by all those syscalls or using 
> "all" because user space tools could get out of sync with the kernel. On any 
> kernel upgrade, there could be a new syscall that allows file system access. 
> The user space tools wouldn't know about it and wouldn't provide automatic 
> coverage.

Maybe we ought to have a way to specific all system calls of a
particular type and let the kernel audit code decides which ones
those are.  We could group file operations, mode changes, ownership
changes, privilege changes, execs, time changes, etc.  That way
admins don't necessarily have to know all the different ways one
might do a chown, lchown, fchown, etc.  And maybe there should be
an 'all' that really means 'all' and not just all that the user
space tools know about.

-- ljk