On Thursday 17 May 2007 09:19, [EMAIL PROTECTED] wrote: > > I'd suggest adding a printk() in addition to returning 0 - you don't want > > to silently ignore unknown or unsupported syscalls when auditing. > > Make it rate-limited, so a program can't unintentionally spam your logs.
For this to happen, the syscall would have to be > 2048. I'd almost image syscalls out of range in general...whether being auditing by class as in this case or with a typical syscall rule is a problem. So, way back over at syscall entry would be the time to notice this problem instead of here. If we are concerned about this, it might be a general control feature like enable/disable, fail mode, or backlog. We could make something to report out of range syscalls. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
