On 2017-06-13 15:39, Steve Grubb wrote: > On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote: > > > On 2017-06-12 20:05, Steve Grubb wrote: > > > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > > > > > The exclude rules did not permit a filterkey to be added. This isn't > > > > > as > > > > > important for the exclude filter compared to the others since no > > > > > records are generated with that key, but still helps identify rules > > > > > in the rules list configuration. > > > > > > > > How long ago did thkernel start allowing this? I'm trying to decide if > > > > this is generally applicable or needs some kind of versioning. > > > > > > I wasn't aware it was disallowed previously. I'll try to dig out if > > > that was previously refused. > > > > I see nothing obvious going back to its introduction: > > 5adc8a6adc91 <[email protected]> 2006-06-14 ("add rule filterkey") > > I think I remember that it was never supported because it didn't make sense > to > have a key that would never be used for anything. Exclude supresses records > just like a 'never' action. The key is rejected to catch someone's attention > that they might have made a copy and paste to the wrong filter.
That issue was addressed somewhere in my correspondance about that patch. It won't show up in the logs, but it is arguably useful for sysadmins to be able to tag each rule in a systematic way. > -Steve - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
