Is the "possible" option used when checking a syscall filter rule?
Steve Grubb
sgrubb at redhat.com
Fri Apr 29 13:39:36 UTC 2005
On Friday 29 April 2005 09:21, David Woodhouse wrote:
> So it logs the syscall arguments, but doesn't actually set
> context->auditable. It merely makes sure that the arguments are there in
> _case_ some other part of the kernel wants to trigger auditing of this
> particular syscall.
Which leads back to the first part of the question:
>Does this option make sense when setting a syscall entry filter or exit
>filter? Or, it is meant just for task filtering?
When would a user want to set possible? It seems that by loading syscall
rules, we are asking the audit system to trigger auditing of the syscall.
Perhaps this was meant to complement FileSystem auditing?
I guess we need to figure out what we say on the man page for this and what a
valid use is. And is there an invalid use? (testing scripts)
-Steve
More information about the Linux-audit
mailing list