I haven't really spent much time with the audit rule support patched into auditd. Typically, if I wanted audit system logs, I would patch the kernel setting some integer to 1. Not really the best, but it worked. I think the tuna omap kernel was patched with it.
The result was whenever a denial occurred, I ended up with the whole syscall trace of that event. Is their a way to enable that behavior with the audit rules support? My understanding is no, since it only has -e and -w support, and we would need -s, is that correct? -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
