On Fri, Jan 19, 2007 at 02:39:55PM -0500, Steve Grubb wrote: > The following patch adds a new mode to the audit system. It uses the > audit_enabled config option to introduce the idea of audit enabled, but > configuration is immutable. Any attempt to change the configuration > while in this mode is audited. To change the audit rules, you'd need to > reboot the machine.
Seems reasonable to me. Just a couple of comments. > This patch also adds "res=" to a number of configuration commands that did not > have it before. The res= idiom is unfamiliar to me, seems like an is_xxx name (is_allowed?) would make it clear what the intent is for. > @@ -64,7 +64,9 @@ > * (Initialization happens after skb_init is called.) */ > static int audit_initialized; > > -/* No syscall auditing will take place unless audit_enabled != 0. */ > +/* 0 - no auditing > + * 1 - auditing enabled > + * 2 - auditing enabled and configuration is locked/unchangeable. */ > int audit_enabled; You probably want a #define or enum for these values, rather than using magic numbers. Thanks. -- Steve Beattie SUSE Labs, Novell Inc. <[EMAIL PROTECTED]> http://NxNW.org/~steve/
pgpXxm9jgXWwp.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
