On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <[email protected]> wrote: > On 2017-02-13 18:50, Paul Moore wrote: >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <[email protected]> wrote:
... >> > useless? smac, dmac, macproto >> >> Probably useless in the majority of use cases. > > How do we deal with the minority of cases where it could be quite useful? First you first need to show me why I should care about this, in other words, why *must* you have the fields in the audit record. >> > helpful secmark (I forgot to change it from "obj" to "secmark" in >> > my patch). >> >> We may also want to log the peer label if we are going to log the secmark. > > Ok, noted. Please note well the "*if*" portion in the above statement. I'm not overly convinced that either field is all that useful in the majority of cases. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
