[PATCH] (1/2) new audit filter allows excluding messages by type (kernel)
Dustin Kirkland
dustin.kirkland at us.ibm.com
Thu Nov 3 19:51:07 UTC 2005
On Thu, 2005-11-03 at 14:20 -0500, Amy Griffis wrote:
> On Thu, Nov 03, 2005 at 10:30:16AM -0600, Timothy R. Chavez wrote:
> > This shortcoming also appears with user message filtering. Right?
>
> Yes, and that doesn't make sense either. :-)
From include/linux/audit.h:
#define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */
#define AUDIT_FILTER_TASK 0x01 /* Apply rule at task creation (not syscall) */
#define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
#define AUDIT_FILTER_EXCLUDE 0x05 /* Apply rule at audit_log_start */
So out of all of these, AUDIT_FILTER_ENTRY and AUDIT_FILTER_EXIT are the
only two that are 'inherently syscall related', a minority in fact.
If AUDIT_FILTER_EXCLUDE doesn't belong in auditsc.c, then neither does
_USER, _TASK, _WATCH.
I agree that these might be better placed elsewhere, but it's not the
business of this patch to go about moving these things around. What are
your thoughts on solving this properly for all filters? Note that this
probably belongs in a thread of its own...
Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051103/7ad795af/attachment.sig>
More information about the Linux-audit
mailing list