Re: [PATCH] filterexcl: allow filterkey
On 2017-06-13 15:39, Steve Grubb wrote:
On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> > On 2017-06-12 20:05, Steve Grubb wrote:
> > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > > The exclude rules did not permit a filterkey to be added. This
isn't
> > > > as
> > > > important for the exclude filter compared to the others since no
> > > > records are generated with that key, but still helps identify rules
> > > > in the rules list configuration.
> > >
> > > How long ago did thkernel start allowing this? I'm trying to decide
if
> > > this is generally applicable or needs some kind of versioning.
> >
> > I wasn't aware it was disallowed previously. I'll try to dig out if
> > that was previously refused.
>
> I see nothing obvious going back to its introduction:
> 5adc8a6adc91 <amy.griffis(a)hp.com> 2006-06-14 ("add rule
filterkey")
I think I remember that it was never supported because it didn't make sense to
have a key that would never be used for anything. Exclude supresses records
just like a 'never' action. The key is rejected to catch someone's attention
that they might have made a copy and paste to the wrong filter.
That issue was addressed somewhere in my correspondance about that
patch. It won't show up in the logs, but it is arguably useful for
sysadmins to be able to tag each rule in a systematic way.
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635