Hello. Darrell wrote: > Because Caitsith has the functionality to create deny rules, I was > wondering if you would be open to adding functionality to > caitsith-queryd to ignore certain deny rules. I would like to propose a > "query 0" rule which when triggered with caitsith-queryd running, would > silently bypass prompting. I wonder for what purpose you are trying to keep caitsith-queryd running. I think that we use caitsith-queryd only when we do something unusual (e.g. running software updater) for handling unexpected requests. > > For example, using the following ruleset I am trying to block > inet_stream_connect connections for all applications, except those I've > whitelisted. I want to be prompted by queryd for violations of this rule > like normal. However, I also want to block blacklisted applications and > not be prompted by caitsith-queryd. > > 0 acl inet_stream_connect > audit 1 > query 0 > 10 deny task.exe="/usr/bin/rsync" > > 10 acl inet_stream_connect > audit 1 > 10 allow task.exe="/usr/bin/curl" > 100 deny Apart from "query 0", I don't understand what you want to do with these rules. The latter rule allows only /usr/bin/curl to use connect(AF_INET or AF_INET6) on SOCK_STREAM sockets. If you don't want /usr/bin/rsync to generate a query, you want to implement something like below? 10 acl inet_stream_connect audit 1 10 allow task.exe="/usr/bin/curl" 20 deny task.exe="/usr/bin/rsync" ignore_query 100 deny > > If this functionality already exists through more clever rule writing, > please excuse my ignorance. If not, any consideration you may give to my > idea would be appreciated. But even if there is a scenario where keeping caitsith-queryd always running makes sense, I don't think we need to implement it in the kernel side as policy syntax. Adding a configuration file for caitsith-queryd (e.g. /etc/caitsith/tools/queryd.conf ) and enumerating filtering rules as with /etc/caitsith/tools/auditd.conf will be cleaner.