What is expected: exclude action on the never list?
Michael C Thompson
thompsmc at us.ibm.com
Tue May 30 22:27:55 UTC 2006
Linda Knippers wrote:
> Steve Grubb wrote:
>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>
>>> I would read the second rule as saying "do not exclude messages of type
>>> SYSCALL". Is this a correct interpretation of the rule?
>>
>> That sounds reasonable, but I don't think that's what the kernel does. Maybe
>> it should be corrected. I think its a 1 or 2 liner.
>
> According to the manpage, I'd say the kernel is behaving as expected.
>
> "Never" means never generate an audit record and "exclude" means even if
> one was generated, it should be excluded. The two options together are
> somewhat redundant but I don't think "never" was intended to mean "never
> do what the previous option just said to do", at least not according to
> the manpage.
Agreed. The wording is... confusing when compared to the rule. I guess
the real question which needs to be answered is "Do we need to be able
to force the capture of a rule?"... since audit by default does not
audit anything, and you have to explicitly add filters, I would say "no"
to this question.
That said, I think we should leave "exclude,always" as is, and either
change the man page to say something about "exclude,never" being the
same as "exclude,always", _or_ change the userspace to indicate that
"exclude,never" doesn't make sense.
Thanks,
Mike
More information about the Linux-audit
mailing list