Linda Knippers wrote:
Michael C Thompson wrote:
Linda Knippers wrote:
Steve Grubb wrote:
On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
I would read the second rule as saying "do not exclude messages of type
SYSCALL". Is this a correct interpretation of the rule?
That sounds reasonable, but I don't think that's what the kernel
does. Maybe it should be corrected. I think its a 1 or 2 liner.
According to the manpage, I'd say the kernel is behaving as expected.
"Never" means never generate an audit record and "exclude" means even if
one was generated, it should be excluded. The two options together are
somewhat redundant but I don't think "never" was intended to mean "never
do what the previous option just said to do", at least not according to
the manpage.
Agreed. The wording is... confusing when compared to the rule. I guess
the real question which needs to be answered is "Do we need to be able
to force the capture of a rule?"... since audit by default does not
audit anything, and you have to explicitly add filters, I would say "no"
to this question.
That said, I think we should leave "exclude,always" as is, and either
change the man page to say something about "exclude,never" being the
same as "exclude,always", _or_ change the userspace to indicate that
"exclude,never" doesn't make sense.
I'm not sure "always" makes sense either, at least not as described in
the manpage since it says to always write out record at syscall exit
time.
So it sounds like the man page needs to be reworded... if I think of
anything clear and enlightening, I will pass it on.
I think that the "exclude,always" construct (outside of what the man
page says) has inherent meaning, so I would leave it as is. Would you
agree that changing the "exclude,never" to be invalidated in userspace
makes sense?
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
