[PATCH] (0/2) new audit filter allows excluding messages by type
Dustin Kirkland
dustin.kirkland at gmail.com
Wed Nov 2 09:27:34 UTC 2005
On 11/1/05, Dustin Kirkland <dustin.kirkland at us.ibm.com> wrote:
> The interface to exclude messages of IPC type looks like:
> auditctl -a exclude,always -F "msgtype=IPC"
Just now thinking about this... This might be a bit verbose for what
is truly needed. That is, the "always" part, and even the "msgtype"
should probably be implicit. In which case, we might offer a shortcut
interface for excluding audit messages by type to use a new "-E"
parameter:
auditctl -E "type=IPC" -E "type>1400"
Also, I realized that my first patch didn't update the man page or the
usage statements for auditctl. I'll fix that in subsequent posts as
we hash out the interoperation of kernel and userspace.
:-Dustin
More information about the Linux-audit
mailing list