On 01/08/2015 04:55 PM, Alexander Viro wrote: > Incidentally, that's a fine example of the reasons why syscall audit is > useless > for almost anything other than CYA. It's not that syscall tracing is useless > - > strace can be quite useful, actually. It's the bogus impression of coverage > in case of watching what live system does - a whole lot of events simply do > not map on "somebody had done a syscall with such and such arguments". All true & well put; thank you. The CYA factor IS important. But the translation magic from user actions to syscalls (and back - from intent to result) is where it gets interesting. The forensics challenge with the data we have is what some of us are grappling with now (forever).
LCB -- LC (Lenny) Bruzenak [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
