Michael C Thompson wrote: > Linda Knippers wrote: > >> Steve Grubb wrote: >> >>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote: >>> >>>> I would read the second rule as saying "do not exclude messages of type >>>> SYSCALL". Is this a correct interpretation of the rule? >>> >>> >>> That sounds reasonable, but I don't think that's what the kernel >>> does. Maybe it should be corrected. I think its a 1 or 2 liner. >> >> >> According to the manpage, I'd say the kernel is behaving as expected. >> >> "Never" means never generate an audit record and "exclude" means even if >> one was generated, it should be excluded. The two options together are >> somewhat redundant but I don't think "never" was intended to mean "never >> do what the previous option just said to do", at least not according to >> the manpage. > > > Agreed. The wording is... confusing when compared to the rule. I guess > the real question which needs to be answered is "Do we need to be able > to force the capture of a rule?"... since audit by default does not > audit anything, and you have to explicitly add filters, I would say "no" > to this question. > > That said, I think we should leave "exclude,always" as is, and either > change the man page to say something about "exclude,never" being the > same as "exclude,always", _or_ change the userspace to indicate that > "exclude,never" doesn't make sense.
I'm not sure "always" makes sense either, at least not as described in the manpage since it says to always write out record at syscall exit time. -- ljk -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
