Selective Audit; filtering on message type; integration of operators
Debora Velarde
dvelarde at us.ibm.com
Mon Oct 3 18:25:26 UTC 2005
> --
>
> USER_SPACE
>
> From a user-experience perspective, we're trying to enable a user to
> exclude messages of a certain type (or ranges of messages of particular
> types). If you're unclear what types of messages are currently defined,
> see include/linux/audit.h. Given extended support for ranges and
> comparative operators, this should be extensible to other audit record
> keys, such the user, subject, etc.
>
> I'm suggesting the ability to add new rules via auditctl to a new list,
> perhaps called "exclude". The proposed interface would look like:
>
> Exclude messages of a specific type:
> auditctl -a exclude,always -F "type=AUDIT_IPC"
>
> Exclude messages within range:
> auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
>
> Exclude messages using auditctl helper terms (ALL_DAEMON interpreted by
> auditctl to be a range of 1200-1299 as specified in the audit.h header):
> auditctl -a exclude,always -F "type=ALL_DAEMON"
>
> Use multiple rules to exclude audit system command messages:
> auditctl -a exclude,always -F "type<1100"
>
> Also, the same form should be usable for other parameters as well, such
> as uid, pid, etc.
> auditctl -a exclude,always -F "uid<500"
> auditctl -a exclude,always -F "pid=464"
>
>
I like the new 'exclude' list idea.
We can currently select to never audit with the use of the action 'never'.
Such as "auditctl -a exit,never -F pid=464"
If we add an 'exclude' list then it seems like we would no longer need the
'never' action.
I think 'auditctl -a exclude,always -F pid=464' is less confusing than the
user having to figure out if they only need one or all of the following:
auditctl -a exit,never -F pid=464
auditctl -a entry,never -F pid=464
auditctl -a task,never -F pid=464
auditctl -a user,never -F pid=464
More information about the Linux-audit
mailing list