From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Subject: Re: Monitoring events Date: Thu, 08 Jun 2006 10:57:28 -0400 Message-ID: <44883AD8.9070307@ornl.gov> References: <44882C43.70704@ornl.gov> <200606081004.16261.sgrubb@redhat.com> <44883291.90804@ornl.gov> <200606081039.07731.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k58F5ToG000999 for ; Thu, 8 Jun 2006 11:05:29 -0400 Received: from emroute1.ornl.gov (emroute1.ornl.gov [160.91.4.119]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k58F5RYp005665 for ; Thu, 8 Jun 2006 11:05:27 -0400 Received: from emroute1.ornl.gov (localhost [127.0.0.1]) by emroute1.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J0J0090JR8ZLJ@emroute1.ornl.gov> for linux-audit@redhat.com; Thu, 08 Jun 2006 11:05:26 -0400 (EDT) Received: from ORNLEXCHANGE.ornl.gov (ornlexchange1.ornl.gov [160.91.1.20]) by emroute1.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J0J0091SR8YD1@emroute1.ornl.gov> for linux-audit@redhat.com; Thu, 08 Jun 2006 11:05:23 -0400 (EDT) In-reply-to: <200606081039.07731.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com >>>> Is there's any kind of identifier that ties events to rules? >>> Which kernel are you using? Are your events only watches or do you care >>> about syscall auditing as well (meaning you have set some syscall audit >>> rules) ? >> kernel-2.6.16-1.2212.2.8_FC6.lspp.34.i686 on Fedora Core 5 >> At the moment they are only watches, > OK, the lspp series (so far) does not support the idea of a "key tag" as RHEL4 > did. So, assuming I installed RHEL4, would this "key tag" allow all events to be tied to rules, or just the file watch events?