From: Joy Latten <[EMAIL PROTECTED]> Date: Thu, 23 Aug 2007 12:15:10 -0500
> For example, when auditing the addition of a policy, either > xfrm_user_audit_policy_add(xp, result, skb) or > pfkey_audit_policy_add(xp, result) will get called. > I need two because xfrm_user gets loginuid/secid from netlink/skb > and pfkey gets it from audit_get_loginuid(). > Each will setup and format audit buffer according > to what they want. > > Also, for deleting, there will be pfkey_audit_policy_delete(xp, result) > and xfrm_user_audit_policy_delete(xp, result, skb). This sounds great. How cheap is the "auditing enabled" test? Perhaps it can be even inlined into the xfrm audit hooks. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
