Do we need entry,always rules?
Steve Grubb
sgrubb at redhat.com
Tue Nov 8 22:18:59 UTC 2011
On Tuesday, November 08, 2011 04:38:20 PM Eric Paris wrote:
> The kernel will take them, but I believe we decided to deprecate them.
> I can remove some 'dead' code from the kernel and just return -EINVAL if
> someone tries to set one. Anyone see a problem with that?
That was the plan. User space migrated to exit filter rules with the audit 2.0 release.
That release was over 2 years ago. I also think the example rules in the 1.7 series
was changed to the exit filter so that people don't start off with entry filter rules.
So, you can start the process of deprecating it. I don't know if you want to just pull
the filter out or warn for a while before pulling it out.
-Steve
More information about the Linux-audit
mailing list