Selective Audit; filtering on message type; integration of operators
Linda Knippers
linda.knippers at hp.com
Fri Oct 7 22:33:47 UTC 2005
> Exclude messages within range:
> auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
While it think its handy to be able to specify multiple types
easily, supporting ranges like this doesn't seem like a good
idea to me. If new types are added in the future within the range,
an admin might be excluding more than intended without even knowing,
and if the values of these definitions ever change, the rule might
not even make sense.
> Exclude messages using auditctl helper terms (ALL_DAEMON interpreted by
> auditctl to be a range of 1200-1299 as specified in the audit.h header):
> auditctl -a exclude,always -F "type=ALL_DAEMON"
I like this approach better. Maybe you could have ALL_SYSCALL,
which includes AUDIT_SYSCALL, AUDIT_CWD, AUDIT_PATH, and whatever
else comes with syscall auditing, regardless of what the values are.
-- ljk
PS I'm still cleaning up a backlog of mail so my apologies if this
has already been discussed in mail I haven't read yet.
More information about the Linux-audit
mailing list