From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: Re: [PATCH 1/2] add SIGNAL syscall class
Date: Wed, 14 Feb 2007 15:12:05 -0500
Message-ID: <20070214201205.GA18196@fc.hp.com>
References: <20070214182431.GA17337@fc.hp.com>
	<200702141404.07353.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200702141404.07353.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb wrote:  [Wed Feb 14 2007, 02:04:07PM EST]
> On Wednesday 14 February 2007 13:24:31 Amy Griffis wrote:
> > Add a syscall class for sending signals.
> 
> The intent of the syscall classes had been to make an update independent way 
> of being able to specify audit rules for filesystem auditing where new 
> syscalls could be added.

Yeah, I know I used it in a different way from the original purpose.
But I think this is still a valid use... When we are adding or
removing a rule, we need a way to determine if the rule specified one
of the syscalls for sending signals.

> I don't know if this grouping would be useful in practice. <shrug>

Yeah I wasn't sure either, so I didn't add the filtering part.

> What I have been thinking about is a grouping for delete and close.
> That would align with requirements on security standards people have
> to meet.

Makes sense. Do you think we're in danger of running out of slots for
syscall classes?

Amy