Selective Audit; filtering on message type; integration of operators

[Steve Grubb]

On Friday 07 October 2005 18:33, Linda Knippers wrote:
> > Exclude messages within range:
> > auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
>
> While it think its handy to be able to specify multiple types
> easily, supporting ranges like this doesn't seem like a good
> idea to me.  If new types are added in the future within the range,
> an admin might be excluding more than intended without even knowing,
> and if the values of these definitions ever change, the rule might
> not even make sense.

And conversely, the admin can suppress the range even if new messages get 
added. That seems desirable to me. A developer may want to suppress all 
kernel AVC messages while passing user space originating ones.

The idea is to give the admin the flexibility to suppress as much or as little 
as they want. This includes the ability to suppress by number since people 
sometimes upgrade kernels but not user space tools.

> > Exclude messages using auditctl helper terms (ALL_DAEMON interpreted by
> > auditctl to be a range of 1200-1299 as specified in the audit.h header):
> > auditctl -a exclude,always -F "type=ALL_DAEMON"
>
> I like this approach better.

But its the same thing. :)

The fact that it is expressing type=AUDIT_FIRST_DAEMON..AUDIT_LAST_DAEMON is 
hidden from you.

> Maybe you could have ALL_SYSCALL, which includes AUDIT_SYSCALL, AUDIT_CWD,
> AUDIT_PATH, and whatever else comes with syscall auditing, regardless of
> what the values are.

One for each block of messages is planned.

-Steve