Many rules one one line
Dustin Kirkland
dustin.kirkland at gmail.com
Tue Apr 4 03:08:50 UTC 2006
On 4/3/06, Mont Rothstein <mont.rothstein at gmail.com> wrote:
> Is there any reason not to put many rules on one line in audit.rules?
>
> Ex:
> -a exit, always -S creat -S open -S truncate -S truncate64 -S ftruncate -S
> ftruncate64 -S unlink -S link -S symlink -S rename -S mkdir -S rmdir -F
> devmajor=253 -F devminor=1
Yes, that is preferred. The total overhead of storing this rule in
the kernel is reduced, and it's more efficient for the kernel
filtering code to iterate over.
You might have missed it, but this is exactly what Steve Grubb
recommended to you on 3/28:
https://www.redhat.com/archives/linux-audit/2006-March/msg00249.html
:-Dustin
More information about the Linux-audit
mailing list