On Friday 07 October 2005 18:33, Linda Knippers wrote:
> Exclude messages within range:
> auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
While it think its handy to be able to specify multiple types
easily, supporting ranges like this doesn't seem like a good
idea to me. If new types are added in the future within the range,
an admin might be excluding more than intended without even knowing,
and if the values of these definitions ever change, the rule might
not even make sense.
And conversely, the admin can suppress the range even if new messages get
added. That seems desirable to me. A developer may want to suppress all
kernel AVC messages while passing user space originating ones.
The idea is to give the admin the flexibility to suppress as much or as little
as they want. This includes the ability to suppress by number since people
sometimes upgrade kernels but not user space tools.
> Exclude messages using auditctl helper terms (ALL_DAEMON
interpreted by
> auditctl to be a range of 1200-1299 as specified in the audit.h header):
> auditctl -a exclude,always -F "type=ALL_DAEMON"
I like this approach better.
But its the same thing. :)
The fact that it is expressing type=AUDIT_FIRST_DAEMON..AUDIT_LAST_DAEMON is
hidden from you.
Maybe you could have ALL_SYSCALL, which includes AUDIT_SYSCALL,
AUDIT_CWD,
AUDIT_PATH, and whatever else comes with syscall auditing, regardless of
what the values are.
One for each block of messages is planned.
-Steve