RFC deprecating the possible action
Steve Grubb
sgrubb at redhat.com
Mon Apr 10 19:05:57 UTC 2006
Hi,
I was looking at the syscall entry code and was thinking that we could
eliminate the "possible" action. The code in syscall entry seems to have been
hard-wired such that every syscall performs the action as if "possible" was
set. (Unless a never rule evaluates true.)
Since this is now hard-wired into the code, I'd like to eliminate the action
so that people do not submit rules with "possible" as an action. This would
help in terms of performance since the system won't be evaluating rules that
are hard coded.
We currently have 5 syscall rules in the capp.rules file and lspp.rules file
that would be eliminated by this change. I could always delete them from the
rule file, but other people will make the mistake of setting possible on some
rules without studying the kernel code.
What's people's thoughts on this?
-Steve
More information about the Linux-audit
mailing list