Re: [RFC] Virtual Key Fields
On Monday 24 March 2008 09:42:14 Eric Paris wrote:
> Auditctl will also allow delete all rules matching a key. This
will allow
> the admin or a program to delete a set of rules related to just a
> particular key and leave all other rules intact.
How does this work? This is a completely new concept and it seems like
it should be a second patch after you have multiple keys in to start
with.
This is all in user space so no kernel changes are needed.
auditctl -a exit,always -w /tmp/file1 -k file1 -k shared-key
auditctl -a exit,always -w /tmp/file2 -k file2 -k shared-key
now if I say (and i'm just guessing your new syntax):
auditctl -d -k shared-key
I was only going to change the '-D' option (delete all). Assuming this was
typed:
auditctl -D -k shared-key
You have no rules left which is the same as if you did not have the -k added.
If however, you have this loaded:
-a exit,always -w /tmp/file1 -k file1 -k my-file-key -k ids-file-high
-a exit,always -w /tmp/file2 -k file2 -k another-key -k ids-file-high
auditctl -D -k another-key
will just delete the second rule.
auditctl -D -k ids-file-high
will delete them all.
-Steve