On 4/3/06, Mont Rothstein <[EMAIL PROTECTED]> wrote: > Is there any reason not to put many rules on one line in audit.rules? > > Ex: > -a exit, always -S creat -S open -S truncate -S truncate64 -S ftruncate -S > ftruncate64 -S unlink -S link -S symlink -S rename -S mkdir -S rmdir -F > devmajor=253 -F devminor=1
Yes, that is preferred. The total overhead of storing this rule in the kernel is reduced, and it's more efficient for the kernel filtering code to iterate over. You might have missed it, but this is exactly what Steve Grubb recommended to you on 3/28: https://www.redhat.com/archives/linux-audit/2006-March/msg00249.html :-Dustin -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
