Allow exclude and user filter by executable name #48
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Apr 25, 2018
|
@stevegrubb can we get a thumbs up, or down, on the userspace piece? I don't want to merge the kernel piece only to find out you've got objections to the userspace portion. |
|
@stevegrubb can we get a verdict on the userspace part of this? The kernel is at -rc4 right now, and if we want this to go in during the next merge window this should be merged into audit/next within the next week or so. |
|
Pinged @stevegrubb directly via email in case he isn't monitoring his GitHub notifications. |
This patch removes the restriction that excludes the AUDIT_EXE field
from the exclude filter list. It also clarifies in the documentation
that this field can be used also with these filter lists ('auditctl -a
user,always -F exe=/something' works even without this patch).
Relevant kernel patch that enables exclude filter for AUDIT_EXE:
https://www.redhat.com/archives/linux-audit/2018-April/msg00114.html
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch removes the restriction that excludes the AUDIT_EXE field
from the exclude filter list. It also clarifies in the documentation
that this field can be used also with these filter lists ('auditctl -a
user,always -F exe=/something' works even without this patch).
Relevant kernel patch that enables exclude filter for AUDIT_EXE:
https://www.redhat.com/archives/linux-audit/2018-April/msg00114.html
Signed-off-by: Ondrej Mosnacek omosnace@redhat.com