Re: Many rules one one line

Monday, 3 April 2006

On 4/3/06, Mont Rothstein <mont.rothstein(a)gmail.com&gt; wrote:
...
 Is there any reason not to put many rules on one line in
audit.rules?

 Ex:
 -a exit, always -S creat -S open -S truncate -S truncate64 -S ftruncate -S
 ftruncate64 -S unlink -S link -S symlink -S rename -S mkdir -S rmdir -F
 devmajor=253 -F devminor=1 
Yes, that is preferred.  The total overhead of storing this rule in
the kernel is reduced, and it's more efficient for the kernel
filtering code to iterate over.

You might have missed it, but this is exactly what Steve Grubb
recommended to you on 3/28:
https://www.redhat.com/archives/linux-audit/2006-March/msg00249.html

:-Dustin

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004