[PATCH 1/2] add SIGNAL syscall class
Amy Griffis
amy.griffis at hp.com
Wed Feb 14 20:12:05 UTC 2007
Steve Grubb wrote: [Wed Feb 14 2007, 02:04:07PM EST]
> On Wednesday 14 February 2007 13:24:31 Amy Griffis wrote:
> > Add a syscall class for sending signals.
>
> The intent of the syscall classes had been to make an update independent way
> of being able to specify audit rules for filesystem auditing where new
> syscalls could be added.
Yeah, I know I used it in a different way from the original purpose.
But I think this is still a valid use... When we are adding or
removing a rule, we need a way to determine if the rule specified one
of the syscalls for sending signals.
> I don't know if this grouping would be useful in practice. <shrug>
Yeah I wasn't sure either, so I didn't add the filtering part.
> What I have been thinking about is a grouping for delete and close.
> That would align with requirements on security standards people have
> to meet.
Makes sense. Do you think we're in danger of running out of slots for
syscall classes?
Amy
More information about the Linux-audit
mailing list