[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] (0/2) new audit filter allows excluding messages by type



On 11/1/05, Dustin Kirkland <dustin kirkland us ibm com> wrote:
> The interface to exclude messages of IPC type looks like:
> auditctl -a exclude,always -F "msgtype=IPC"

Just now thinking about this...  This might be a bit verbose for what
is truly needed.  That is, the "always" part, and even the "msgtype"
should probably be implicit.  In which case, we might offer a shortcut
interface for excluding audit messages by type to use a new "-E"
parameter:

auditctl -E "type=IPC" -E "type>1400"

Also, I realized that my first patch didn't update the man page or the
usage statements for auditctl.  I'll fix that in subsequent posts as
we hash out the interoperation of kernel and userspace.


:-Dustin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]