Klaus Weidner wrote: [Mon Apr 17 2006, 04:06:56PM EDT] > On Mon, Apr 17, 2006 at 10:27:34AM -0500, Timothy R. Chavez wrote: > > Maybe this is a completely stupid thought, but what about the option of > > adding a per-syscall filter list table, indexed by system-call number. > > That's how LAuS worked... You'd need to support multiple lists to handle > multiple personalities (ie 32bit code running on x86_64). > > The amount of space used isn't too bad; it would also be possible to use > reference counting to share entries for identical rules.
This approach makes a lot of sense to me. I think it would be a good next-step for audit filtering. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
