From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [RFC] Do away with entry filter
Date: Fri, 27 Feb 2009 12:40:11 -0500
Message-ID: <200902271240.12137.sgrubb@redhat.com>
References: <200902270954.12237.sgrubb@redhat.com> <49A81B59.1050608@hp.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <49A81B59.1050608@hp.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 27 February 2009 11:56:57 am Linda Knippers wrote:
> > Let's discuss...
>
> Without "entry", does "exit" still make sense?

You mean the name? I think so for a compatibility perspective. Not everyone 
will change their rules right away. Are you suggesting to rename the exit 
filter to something more generic?


> In other words, are the choices really just "always" and "never"?

For syscall, yes. There are still task, exclude, and user filters. Of these, I 
can't think of any use for the task filter anymore either. I think at one 
time it, too, was envisioned to help select the right tasks for auditing. 


> If we're going to change things, is this an opportunity to simplify in
> general? 

I wouldn't mind losing task filter, too. But I was thinking mostly of the case 
where entry rules identify a syscal is auditable and then the exit filter is 
99% of the time walked in its entirety before deciding nothing to do.

-Steve