0***@cox.net
2016-10-22 17:21:23 UTC
Because Caitsith has the functionality to create deny rules, I was
wondering if you would be open to adding functionality to
caitsith-queryd to ignore certain deny rules. I would like to propose a
"query 0" rule which when triggered with caitsith-queryd running, would
silently bypass prompting.
For example, using the following ruleset I am trying to block
inet_stream_connect connections for all applications, except those I've
whitelisted. I want to be prompted by queryd for violations of this rule
like normal. However, I also want to block blacklisted applications and
not be prompted by caitsith-queryd.
0 acl inet_stream_connect
audit 1
query 0
10 deny task.exe="/usr/bin/rsync"
10 acl inet_stream_connect
audit 1
10 allow task.exe="/usr/bin/curl"
100 deny
If this functionality already exists through more clever rule writing,
please excuse my ignorance. If not, any consideration you may give to my
idea would be appreciated.
wondering if you would be open to adding functionality to
caitsith-queryd to ignore certain deny rules. I would like to propose a
"query 0" rule which when triggered with caitsith-queryd running, would
silently bypass prompting.
For example, using the following ruleset I am trying to block
inet_stream_connect connections for all applications, except those I've
whitelisted. I want to be prompted by queryd for violations of this rule
like normal. However, I also want to block blacklisted applications and
not be prompted by caitsith-queryd.
0 acl inet_stream_connect
audit 1
query 0
10 deny task.exe="/usr/bin/rsync"
10 acl inet_stream_connect
audit 1
10 allow task.exe="/usr/bin/curl"
100 deny
If this functionality already exists through more clever rule writing,
please excuse my ignorance. If not, any consideration you may give to my
idea would be appreciated.