[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] Audit filter rule operators (0/2)


Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.

These two patches rework the support for "=" and "!=", and add support
for ">", ">=", "<", and "<=".

This turned out to be a pretty clean, and simply process.  I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.

There are two pieces to this patch.

The first is user space.  The second is kernel space.

I'll briefly describe those changes in the following emails with the

The interface looks something like this....

Audit all ipc messages by normal users
	auditctl -a exit,always -S ipc -F "uid>=500"

Audit all opens by any user except for user 501:
	auditctl -a exit,always -S open -F "uid>=0" -F "uid!=501"

and so on...


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]