[usbguard] Re: tules.conf comment lines and syslog verbosity
- From: Daniel Kopecek <dkopecek@xxxxxxxxxx>
- To: usbguard@xxxxxxxxxxxxx
- Date: Wed, 18 Jul 2018 04:23:29 -0400 (EDT)
Hi Allen,
----- Original Message -----
From: "Allen Webb" <dmarc-noreply@xxxxxxxxxxxxx>
To: usbguard@xxxxxxxxxxxxx
Sent: Tuesday, July 17, 2018 2:25:58 AM
Subject: [usbguard] tules.conf comment lines and syslog verbosity
From what I can tell from looking at the source code there isn't a way of
annotating the rules.conf file with comments. I am considering adding
syntax to the grammar to handle comments, but I wanted to check to see if
this had come up before and if they were excluded for a reason before
spending time on it.
this was requested before in
https://github.com/USBGuard/usbguard/issues/111.
I haven't had time to work on this yet.
Adding support to the parser/grammar is easy. Dealing with comments + changes
via the usbguard CLI (append-rule, remove-rule, ...) is somewhat harder, i.e.
what happens with comments if some rules get deleted and added via the
command-line.
Maybe we just say that this use case is not supported :-)
Also, when logging is enabled there isn't any way to control the verbosity
of the output. I would like to exclude some of what is included in the log
statements (i.e. the device serial numbers). This would probably involve
specifying the log format or verbosity in the daemon configuration. Has
this been considered already, and if not is there interest in accepting
pull requests that add this functionality?
The logger supports several verbosity levels but the command-line only allows
to set debugging on/off.
For messages that contain potentially sensitive information (whatever the
verbosity
level), there would have to be some system to annotate each message
(USBGUARD_LOG(...)
... lines in the code) whether it prints sensitive information or not -- and
then
filter/mask it if configured to do so.
I'm not sure how one could specify the log format via the daemon configuration,
there
would have to be some generic system that could capture all the possible
message items
that the daemon prints out. Could you elaborate more on the idea, how it would
work in
practice?
Anyway, I'm ok with changes to both the rule language (extending it with
comments) and
to the logging system (whatever needs to be done -- let's try to work on it
incrementally)
Thanks!
Regards,
Daniel
Other related posts: