From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Dustin Kirkland" <dustin.kirkland@gmail.com>
Subject: Re: Many rules one one line
Date: Mon, 3 Apr 2006 22:08:50 -0500
Message-ID: <d9c105ea0604032008s21f7df6cq7a17cdb2d3237e53@mail.gmail.com>
References: <467a83630604031543y6ace305ag53f82c8084e02917@mail.gmail.com>
	<d9c105ea0604032008gf9e908g12ae45119f2376bf@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3438uK9027466
	for <linux-audit@redhat.com>; Mon, 3 Apr 2006 23:08:56 -0400
Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.199])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3438oRA003827
	for <linux-audit@redhat.com>; Mon, 3 Apr 2006 23:08:50 -0400
Received: by xproxy.gmail.com with SMTP id h30so613658wxd
	for <linux-audit@redhat.com>; Mon, 03 Apr 2006 20:08:50 -0700 (PDT)
In-Reply-To: <d9c105ea0604032008gf9e908g12ae45119f2376bf@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit Discussion <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On 4/3/06, Mont Rothstein <mont.rothstein@gmail.com> wrote:
> Is there any reason not to put many rules on one line in audit.rules?
>
> Ex:
> -a exit, always -S creat -S open -S truncate -S truncate64 -S ftruncate=
 -S
> ftruncate64 -S unlink -S link -S symlink -S rename -S mkdir -S rmdir -F
> devmajor=3D253 -F devminor=3D1

Yes, that is preferred.  The total overhead of storing this rule in
the kernel is reduced, and it's more efficient for the kernel
filtering code to iterate over.

You might have missed it, but this is exactly what Steve Grubb
recommended to you on 3/28:
https://www.redhat.com/archives/linux-audit/2006-March/msg00249.html


:-Dustin