Menu
▾
▴
[Snare-devel] Re: [RFC] linux-2.6.10-auditfs-tc1.patch
|
From: Chris W. <ch...@os...> - 2005-01-22 01:34:12
|
* Casey Schaufler (ca...@sc...) wrote: > This is probably a bit late in the discussion, > but have y'all considered using a tokenized audit > record format? If you did you wouldn't have to > care if any given bit of information was there > just yet, or allocate a place for things that > might or might not be there someday. Both Solaris > and Irix use tokenized schemes to effect. You mean BSM format? Yes, I think Serge and I talked about it briefly a few months ago. The current method is tokenized and reasonably extensible. It's not quite record+tokens like BSM, but there's an initial record that tells you how many ancillary records (items) to expect. And each record is made up primarily of token=value pairs. I think we should provide what makes sense, and do any BSM type translation in userspace. But having _some_ BSM compatibility would be wise, since that's what many tools deal with. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net -- Linux-audit mailing list Lin...@re... http://www.redhat.com/mailman/listinfo/linux-audit |