exclude filter action ignored?
Steve Grubb
sgrubb at redhat.com
Mon May 16 16:01:42 UTC 2016
On Monday, May 16, 2016 11:44:26 AM Richard Guy Briggs wrote:
> On 16/05/16, Steve Grubb wrote:
> > On Sunday, May 15, 2016 04:38:27 PM Richard Guy Briggs wrote:
> > > Hi Steve,
> > >
> > > Can you confirm that the exclude filter action parameter is ignored?
> >
> > The exclude filter was supposed to do only 1 thing, delete events. It was
> > needed to create a pure CAPP system back in the lspp days. There are
> > things
> > like selinux which sends events whether you wanted them or not. For a pure
> > CAPP system you just tell it the msgtype of selinux events and then they
> > are gone. People found other uses later like getting rid of cron job pam
> > messages. But its always been used to remove events rather than trigger
> > them.
>
> Fine. Can we put something in the manpage to clarify that
> "exclude,never" won't do what people might think, which might be to
> override some other rule on a different list?
Typically where we use never rules is in blocking events on a certain
directory or application. This would be the entry and user filters. AFAIK, no
one has reported a problem where exclude,never wasn't working. :-)
> Something like "The exclude list ignores the action, and is treated as
> "always", or block the never option entirely either in userspace or in the
> kernel. I realize this latter option could be contentious since some might
> interpret that as "breaking userspace".
No one could possibly be counting on that to work (because it doesn't work).
But we can adjust the man page.
-Steve
More information about the Linux-audit
mailing list