Re: [PATCH] (0/2) new audit filter allows excluding messages by type
On 11/1/05, Dustin Kirkland <dustin.kirkland(a)us.ibm.com> wrote:
The interface to exclude messages of IPC type looks like:
auditctl -a exclude,always -F "msgtype=IPC"
Just now thinking about this... This might be a bit verbose for what
is truly needed. That is, the "always" part, and even the "msgtype"
should probably be implicit. In which case, we might offer a shortcut
interface for excluding audit messages by type to use a new "-E"
parameter:
auditctl -E "type=IPC" -E "type>1400"
Also, I realized that my first patch didn't update the man page or the
usage statements for auditctl. I'll fix that in subsequent posts as
we hash out the interoperation of kernel and userspace.
:-Dustin