From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC] Do away with entry filter Date: Fri, 27 Feb 2009 16:18:40 -0500 Message-ID: <200902271618.41139.sgrubb@redhat.com> References: <200902270954.12237.sgrubb@redhat.com> <200902271319.06607.sgrubb@redhat.com> <1235765644.3386.64.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1235765644.3386.64.camel@localhost.localdomain> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 27 February 2009 03:14:04 pm Eric Paris wrote: > > We still have user, task, and exclude filters. So we still need to be > > able to specify them. > > right, so lets call them =C2=A0 user, task, exclude and SYSCALL rather = than > user, task, exclude and EXIT. Precisely what I was trying to get at with Linda's comments. We still hav= e to=20 have the same rule format since you have to specify which filter the neve= r or=20 always goes with. And I would have to honor entry/exit inside auditctl fo= r=20 quite a while before dropping it there. But we should be careful about=20 changing defines in the kernel. > /me will very happily mark the old rule format, entry, and task lists > for kernel removal. =C2=A0Maybe around 2.6.31? .32? I could clean all t= he > crap out. Yes, I think we could give it a good cleaning out in the near future. I'd= =20 prefer having a patch soonish, but not submitted for a while so that dist= ros=20 can switch user space well before the kernel changes. Additionally, I want to use the 2.0 release to clean out the legacy=20 workarounds for defines at various points in the audit system's life. -Steve