From mboxrd@z Thu Jan  1 00:00:00 1970
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] audit config lockdown
Date: Fri, 19 Jan 2007 11:48:54 -0800 (PST)
Message-ID: <4934.44879.qm@web36602.mail.mud.yahoo.com>
References: <200701191439.55315.sgrubb@redhat.com>
Reply-To: casey@schaufler-ca.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0JJn1nA000491
	for <linux-audit@redhat.com>; Fri, 19 Jan 2007 14:49:01 -0500
Received: from web36602.mail.mud.yahoo.com (web36602.mail.mud.yahoo.com
	[209.191.85.19])
	by mx2.redhat.com (8.12.11.20060308/8.12.11) with SMTP id
	l0JJn0vN004491
	for <linux-audit@redhat.com>; Fri, 19 Jan 2007 14:49:00 -0500
In-Reply-To: <200701191439.55315.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--- Steve Grubb <sgrubb@redhat.com> wrote:

> Hi,
>=20
> The following patch adds a new mode to the audit
> system. It uses the
> audit_enabled config option to introduce the idea of
> audit enabled, but
> configuration is immutable. Any attempt to change
> the configuration=20
> while in this mode is audited. To change the audit
> rules, you'd need to
> reboot the machine.

I don't expect it to be popular, but I like it.


Casey Schaufler
casey@schaufler-ca.com