[RFC PATCH 1/2] audit: allow other filter list types for AUDIT_EXE
Paul Moore
paul at paul-moore.com
Tue Jun 19 14:25:48 UTC 2018
On Wed, May 30, 2018 at 4:45 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> # Filter out events with executable name /bin/exe1 or /bin/exe2:
> auditctl -a exclude,always -F exe=/bin/exe1
> auditctl -a exclude,always -F exe=/bin/exe2
>
> See: https://github.com/linux-audit/audit-kernel/issues/54
>
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
> kernel/auditfilter.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
Merged, thanks.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list