[PATCH] (1/2) new audit filter allows excluding messages by type (kernel)
Amy Griffis
amy.griffis at hp.com
Thu Nov 3 19:20:35 UTC 2005
On Thu, Nov 03, 2005 at 10:30:16AM -0600, Timothy R. Chavez wrote:
> On Thursday 03 November 2005 08:39, Steve Grubb wrote:
> > On Thursday 03 November 2005 08:58, Amy Griffis wrote:
> > > What about someone running a kernel without CONFIG_AUDITSYSCALL? ?With
> > > this implementation, they wouldn't be able to use this filtering at
> > > all. ?That doesn't make any sense, since filtering audit record types
> > > is inherently unrelated to syscalls. ?This filtering applies to audit
> > > in general, so it should live entirely in audit.c. ?
> >
> > It might be tricky to untangle. I think it uses functions that only live in
> > that file. I think its worth looking into, though.
> >
> > -Steve
> >
>
> This shortcoming also appears with user message filtering. Right?
Yes, and that doesn't make sense either. :-)
More information about the Linux-audit
mailing list