On Friday 27 February 2009 11:56:57 am Linda Knippers wrote: > > Let's discuss... > > Without "entry", does "exit" still make sense?
You mean the name? I think so for a compatibility perspective. Not everyone will change their rules right away. Are you suggesting to rename the exit filter to something more generic? > In other words, are the choices really just "always" and "never"? For syscall, yes. There are still task, exclude, and user filters. Of these, I can't think of any use for the task filter anymore either. I think at one time it, too, was envisioned to help select the right tasks for auditing. > If we're going to change things, is this an opportunity to simplify in > general? I wouldn't mind losing task filter, too. But I was thinking mostly of the case where entry rules identify a syscal is auditable and then the exit filter is 99% of the time walked in its entirety before deciding nothing to do. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
