[PATCH] (0/2) new audit filter allows excluding messages by type
Steve Grubb
sgrubb at redhat.com
Thu Nov 3 14:45:14 UTC 2005
On Thursday 03 November 2005 09:26, Amy Griffis wrote:
> > auditctl -E "type=IPC" -E "type>1400"
>
> Using the hard numbers is not a good idea.
This is just an illustration. Besides, we have to support numbers as we may be
using old user space tools and new kernel.
> We want to abstract that
> from the user. It would be better to define an alias that comprises
> an event group. For example:
>
> auditctl -E user
>
> would exclude any messages in the range AUDIT_FIRST_USER_MSG to
> AUDIT_LAST_USER_MSG.
Aahh, but there is a collision in that audit_user is a valid message type.
This would be confusing, too.
> Providing the capability to exclude single messages or larger groups
> of messages should suffice. I don't think it benefits the user to
> support the >,< operators in this case.
But it calls the comparator function, so we can support these operators for
free.
> Additionally, I don't think it makes sense to support the exclusion of
> any single message type defined in the header file.
I think we should let users decide for themselves. We cannot know every
situation or reason for doing things. Why prevent someone that knows what
they want?
-Steve
More information about the Linux-audit
mailing list