[PATCH] filterexcl: allow filterkey
Richard Guy Briggs
rgb at redhat.com
Tue Jun 13 19:58:29 UTC 2017
On 2017-06-13 15:39, Steve Grubb wrote:
> On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> > > On 2017-06-12 20:05, Steve Grubb wrote:
> > > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > > > The exclude rules did not permit a filterkey to be added. This isn't
> > > > > as
> > > > > important for the exclude filter compared to the others since no
> > > > > records are generated with that key, but still helps identify rules
> > > > > in the rules list configuration.
> > > >
> > > > How long ago did thkernel start allowing this? I'm trying to decide if
> > > > this is generally applicable or needs some kind of versioning.
> > >
> > > I wasn't aware it was disallowed previously. I'll try to dig out if
> > > that was previously refused.
> >
> > I see nothing obvious going back to its introduction:
> > 5adc8a6adc91 <amy.griffis at hp.com> 2006-06-14 ("add rule filterkey")
>
> I think I remember that it was never supported because it didn't make sense to
> have a key that would never be used for anything. Exclude supresses records
> just like a 'never' action. The key is rejected to catch someone's attention
> that they might have made a copy and paste to the wrong filter.
That issue was addressed somewhere in my correspondance about that
patch. It won't show up in the logs, but it is arguably useful for
sysadmins to be able to tag each rule in a systematic way.
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list