We can do this 2 ways 1. Kernel mod 2. Auditd mod to write back to kmsg
I would like to make option one a build a config, so if anyone drops something into user space that uses the audit netlink, the kernel is already config'd to split and all existing tools work, or they can turn it on off dynamically. 2 is nice, as it minimizes our kernel mods. Any preference? -- Respectfully, William C Roberts
