On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote: > Rather than using the key for two purposes and introducing special key > words, couldn't an admin just tell the IDS which he's are of interest? > And what the priority of each one is?
The problem is that you can tell the IDS that you want any reads of /opt/my-secrets, but unless you have a matching audit rule you will not get any records. This allows you to make sure you have a watch paired with its meaning. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
