[PATCH] filterexcl: allow filterkey
Steve Grubb
sgrubb at redhat.com
Tue Jun 13 19:39:59 UTC 2017
On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> > On 2017-06-12 20:05, Steve Grubb wrote:
> > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > > The exclude rules did not permit a filterkey to be added. This isn't
> > > > as
> > > > important for the exclude filter compared to the others since no
> > > > records are generated with that key, but still helps identify rules
> > > > in the rules list configuration.
> > >
> > > How long ago did thkernel start allowing this? I'm trying to decide if
> > > this is generally applicable or needs some kind of versioning.
> >
> > I wasn't aware it was disallowed previously. I'll try to dig out if
> > that was previously refused.
>
> I see nothing obvious going back to its introduction:
> 5adc8a6adc91 <amy.griffis at hp.com> 2006-06-14 ("add rule filterkey")
I think I remember that it was never supported because it didn't make sense to
have a key that would never be used for anything. Exclude supresses records
just like a 'never' action. The key is rejected to catch someone's attention
that they might have made a copy and paste to the wrong filter.
-Steve
More information about the Linux-audit
mailing list