On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote: > I knew that more keys can be added with the 0x01 separator. However, this > patch supports different types of keys and plugins could recognize audit > events using them. > > For example, I'm working on reactive audit and I need to separate normal > audit events from those generated by reactive rules and find out which > reaction(s) should > be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY) > and audit events would include reaction identifiers such as > react="reaction"
OK, I see. What I would suggest is a mechanism with a new name. One thing I will point out is that the kernel prefers to work off of integers instead of strings. Strings are for people, numbers are for the computer. (E.g. root vs 0.) So, I would consider calling this something else and using integers so that comparisons are faster. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
