Re: [PATCH] (0/2) new audit filter allows excluding messages by type
On Wed, Nov 02, 2005 at 04:27:34AM -0500, Dustin Kirkland wrote:
On 11/1/05, Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
wrote:
> The interface to exclude messages of IPC type looks like:
> auditctl -a exclude,always -F "msgtype=IPC"
Just now thinking about this... This might be a bit verbose for what
is truly needed. That is, the "always" part, and even the "msgtype"
should probably be implicit.
Yes, definitely. I am in favor of a separate option.
In which case, we might offer a shortcut interface for excluding
audit messages by type to use a new "-E" parameter:
auditctl -E "type=IPC" -E "type>1400"
Using the hard numbers is not a good idea. We want to abstract that
from the user. It would be better to define an alias that comprises
an event group. For example:
auditctl -E user
would exclude any messages in the range AUDIT_FIRST_USER_MSG to
AUDIT_LAST_USER_MSG.
If you want to support excluding a specific message type, then you
could accept the syntax:
auditctl -E AUDIT_AVC
or perhaps more preferably:
auditctl -E avc
where avc translates to message type AUDIT_AVC.
Providing the capability to exclude single messages or larger groups
of messages should suffice. I don't think it benefits the user to
support the >,< operators in this case.
Additionally, I don't think it makes sense to support the exclusion of
any single message type defined in the header file. Some message
types, like AUDIT_PATH, don't stand on their own, but belong to a
greater subset. If we can identify message types that stand on their
own, then we can support excluding those on their own, as well as in
part of an event group.
Amy