[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: USER messages - default behavior



On Thursday 16 June 2005 14:09, Debora Velarde wrote:
> Since we will soon be able to filter USER messages by auid, I have a
> question about what the default behavior will be. Currently, all USER 
messages are captured by default, will this remain true?

I think so.

> Or will there be a new auditctl rule to turn on or off auditing of USER
> messages, similar to how we have "-S all" for syscalls?

I was thinking that we could do something like that someday in the future but 
not for this development cycle. It is on the TODO list.

> Once we are able to audit by auid, will we then audit all USER messages
> unless the auid of the USER message matches a filter rule such as "auditctl
> -a exit,always -F auid!=<auid>"?

I think that was the intention. You could also do "-a exit,never -F 
auid=<auid>"

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]