On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote: > Would there be any issue with adding a couple new trusted_application > event types? Would any kernel mods be needed to support this?
Are these events originating in user space or the kernel? I might be convinced to set aside the block of IDs from 2600 - 2699 for local use if a suitable framework were written. This would mean that there is some config file that holds the local mapping of event IDs to text and ausearch/report/parse will need to be patched to understand local definitions. Would you be interested in this approach? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
