On Fri, Oct 08, 2004 at 07:17:17PM +0900, aq wrote: > > I meant that in order to implement your method, auditd must be > compiled into the kernel. So far very few kernels from vendors support > auditd out of the box. Both Red hat and SuSE have this (or similar) on for sure > Then the user must recompile the kernel > themselves to support auditd --> I think that is not always desired. if the user wants auditing... why not? having a dodgy module doing a syscall override is actually more insecure ;) -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/