Prettier formatting of audit.rules
Matthew Booth
mbooth at redhat.com
Wed Feb 21 11:23:25 UTC 2007
I note from the auditctl man page that sending a shorter list of audit
rules to the kernel is preferrable. Specifically, specifying lots of
system calls in a single rule is recommended. However, this makes
audit.rules unpleasant to look at and impossible to comment. While
audit.rules allows comments to be put on their own lines, it doesn't
allow a rule to be split over multiple lines, or comments at the end of
lines.
So rather than:
-a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown -S creat
-S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S
execve -S vfork -S fork -S clone -F auid!= 101 -F auid!=102 -F auid!=103
it would be much nicer to write something like:
-a entry,always
-S chmod -S fchmod
-S chown -S fchown -S lchown # Attribute changes
-S creat
-S truncate -S ftruncate
-S mkdir -S rmdir
-S exit -S exit_group
-S execve
-S vfork -S fork -S clone # Task creation
-F auid!= 101 -F auid!=102 -F auid!=103 # Filter Oracle activity
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070221/43a969ab/attachment.sig>
More information about the Linux-audit
mailing list