On Thu, May 17, 2007 at 09:58:25AM -0400, Steve Grubb wrote: > On Thursday 17 May 2007 09:19, [EMAIL PROTECTED] wrote: > > > I'd suggest adding a printk() in addition to returning 0 - you don't want > > > to silently ignore unknown or unsupported syscalls when auditing. > > > > Make it rate-limited, so a program can't unintentionally spam your logs. > > For this to happen, the syscall would have to be > 2048. I'd almost image > syscalls out of range in general...whether being auditing by class as in this > case or with a typical syscall rule is a problem. So, way back over at > syscall entry would be the time to notice this problem instead of here. If we > are concerned about this, it might be a general control feature like > enable/disable, fail mode, or backlog. We could make something to report out > of range syscalls.
Can we agree to do just the simple fix for this issue for now, and maybe revisit adding additional sanity checks later if people think they are helpful? -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
