On Wednesday 02 November 2005 10:47, David Woodhouse wrote:
But it's not clear that this filtering is of the same nature --
can you
explain the anticipated use case and show why it's necessary to add this
particular filter to the _kernel_ instead of doing it in userspace?
The main use case is to allow the admin to reject certain classes of records.
Perhaps they do not want to have any LSPP record or SE Linux avc messages.
They could have the kernel to filter those out. There are still people that
do not run the audit daemon and do not want avcs in their syslogs or on their
screens. This allows them to shut it off.
This also allows an admin to tune what information is going to the audit
daemon when the system is very busy and is overwhelming the audit daemon. For
some people having syscalls go onto wait queue is not something they want.
They would like a fine grained way to pick what gets kept. This allows it.
There was a proposal put out here:
https://www.redhat.com/archives/linux-audit/2005-September/msg00061.html
There were no comments saying no one should do this. If anyone has objections
to anything on that list, please discuss it now before people waste their
time on something that will be rejected.
-Steve