Do we need entry,always rules? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Do we need entry,always rules?

filtering on inode ouid

Re: command logging

Eric Paris

Tuesday, 8 November 2011 Tue, 8 Nov '11

3:38 p.m.

The kernel will take them, but I believe we decided to deprecate them. I can remove some 'dead' code from the kernel and just return -EINVAL if someone tries to set one. Anyone see a problem with that? -Eric

Reply

Show replies by date

Steve Grubb

Tuesday, 8 November Tue, 8 Nov

4:18 p.m.

On Tuesday, November 08, 2011 04:38:20 PM Eric Paris wrote:

The kernel will take them, but I believe we decided to deprecate them. I can remove some 'dead' code from the kernel and just return -EINVAL if someone tries to set one. Anyone see a problem with that?

That was the plan. User space migrated to exit filter rules with the audit 2.0 release. That release was over 2 years ago. I also think the example rules in the 1.7 series was changed to the exit filter so that people don't start off with entry filter rules. So, you can start the process of deprecating it. I don't know if you want to just pull the filter out or warn for a while before pulling it out. -Steve

Reply

4793

days inactive

4793

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Eric Paris
Steve Grubb