On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote: > > On 2017-06-12 20:05, Steve Grubb wrote: > > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > > > > The exclude rules did not permit a filterkey to be added. This isn't > > > > as > > > > important for the exclude filter compared to the others since no > > > > records are generated with that key, but still helps identify rules > > > > in the rules list configuration. > > > > > > How long ago did thkernel start allowing this? I'm trying to decide if > > > this is generally applicable or needs some kind of versioning. > > > > I wasn't aware it was disallowed previously. I'll try to dig out if > > that was previously refused. > > I see nothing obvious going back to its introduction: > 5adc8a6adc91 <[email protected]> 2006-06-14 ("add rule filterkey")
I think I remember that it was never supported because it didn't make sense to have a key that would never be used for anything. Exclude supresses records just like a 'never' action. The key is rejected to catch someone's attention that they might have made a copy and paste to the wrong filter. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
