[RFC] Do away with entry filter
Steve Grubb
sgrubb at redhat.com
Fri Feb 27 17:40:11 UTC 2009
On Friday 27 February 2009 11:56:57 am Linda Knippers wrote:
> > Let's discuss...
>
> Without "entry", does "exit" still make sense?
You mean the name? I think so for a compatibility perspective. Not everyone
will change their rules right away. Are you suggesting to rename the exit
filter to something more generic?
> In other words, are the choices really just "always" and "never"?
For syscall, yes. There are still task, exclude, and user filters. Of these, I
can't think of any use for the task filter anymore either. I think at one
time it, too, was envisioned to help select the right tasks for auditing.
> If we're going to change things, is this an opportunity to simplify in
> general?
I wouldn't mind losing task filter, too. But I was thinking mostly of the case
where entry rules identify a syscal is auditable and then the exit filter is
99% of the time walked in its entirety before deciding nothing to do.
-Steve
More information about the Linux-audit
mailing list