From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Prettier formatting of audit.rules
Date: Wed, 21 Feb 2007 11:23:25 +0000
Message-ID: <1172057005.3970.26.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1102948431=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [192.168.1.8] (sebastian-int.corp.redhat.com [172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l1LIHpUv020400
	for <linux-audit@redhat.com>; Wed, 21 Feb 2007 18:17:52 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============1102948431==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-5SzM8RBNJt8sL/khH8l5"


--=-5SzM8RBNJt8sL/khH8l5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I note from the auditctl man page that sending a shorter list of audit
rules to the kernel is preferrable. Specifically, specifying lots of
system calls in a single rule is recommended. However, this makes
audit.rules unpleasant to look at and impossible to comment. While
audit.rules allows comments to be put on their own lines, it doesn't
allow a rule to be split over multiple lines, or comments at the end of
lines.

So rather than:

-a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown -S creat
-S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S
execve -S vfork -S fork -S clone -F auid!=3D 101 -F auid!=3D102 -F auid!=3D=
103

it would be much nicer to write something like:

-a entry,always
    -S chmod -S fchmod
    -S chown -S fchown -S lchown # Attribute changes
    -S creat
    -S truncate -S ftruncate
    -S mkdir -S rmdir
    -S exit -S exit_group
    -S execve
    -S vfork -S fork -S clone # Task creation
    -F auid!=3D 101 -F auid!=3D102 -F auid!=3D103 # Filter Oracle activity

Matt
--=20
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-5SzM8RBNJt8sL/khH8l5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF3CutNEHqGdM8NJARAiwdAJ4kNEPldBGxw5ER6Nd2mBGPrfvpcACdEMo+
lBufDVGWWc1fh47W7nuLB4s=
=iVcp
-----END PGP SIGNATURE-----

--=-5SzM8RBNJt8sL/khH8l5--


--===============1102948431==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1102948431==--