From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Re: What is expected: exclude action on the never list?
Date: Tue, 30 May 2006 17:43:09 -0500
Message-ID: <447CCA7D.9090505@us.ibm.com>
References: <447CAEE6.1030501@us.ibm.com>
	<200605301712.50107.sgrubb@redhat.com> <447CB66B.20005@hp.com>
	<447CC6EB.4070205@us.ibm.com> <447CC9CE.90303@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <447CC9CE.90303@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Linda Knippers wrote:
> Michael C Thompson wrote:
>> Linda Knippers wrote:
>>
>>> Steve Grubb wrote:
>>>
>>>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>>>
>>>>> I would read the second rule as saying "do not exclude messages of type
>>>>> SYSCALL". Is this a correct interpretation of the rule?
>>>>
>>>> That sounds reasonable, but I don't think that's what the kernel
>>>> does. Maybe it should be corrected. I think its a 1 or 2 liner.
>>>
>>> According to the manpage, I'd say the kernel is behaving as expected.
>>>
>>> "Never" means never generate an audit record and "exclude" means even if
>>> one was generated, it should be excluded.  The two options together are
>>> somewhat redundant but I don't think "never" was intended to mean "never
>>> do what the previous option just said to do", at least not according to
>>> the manpage.
>>
>> Agreed. The wording is... confusing when compared to the rule. I guess
>> the real question which needs to be answered is "Do we need to be able
>> to force the capture of a rule?"... since audit by default does not
>> audit anything, and you have to explicitly add filters, I would say "no"
>> to this question.
>>
>> That said, I think we should leave "exclude,always" as is, and either
>> change the man page to say something about "exclude,never" being the
>> same as "exclude,always", _or_ change the userspace to indicate that
>> "exclude,never" doesn't make sense.
> 
> I'm not sure "always" makes sense either, at least not as described in
> the manpage since it says to always write out record at syscall exit
> time.

So it sounds like the man page needs to be reworded... if I think of 
anything clear and enlightening, I will pass it on.

I think that the "exclude,always" construct (outside of what the man 
page says) has inherent meaning, so I would leave it as is. Would you 
agree that changing the "exclude,never" to be invalidated in userspace 
makes sense?

Mike