Open teodesian opened 2 years ago
Primary open question: how to know auditd has flushed the log? I suppose I could touch a tmpfile and wait for it to roll in.
Even then that doesn't account for spooky-action-at-a distance, such as that caused by code which shoves things into a batch executor's queue. I'll make sure to note in the log that handling such is to be left as an exercise for the reader.
Aside from that it'll have to be a full-blown config file rather than an ignore file for a harness plugin.
Checking for unexpected occurrences since the beginning of a block, over a whole file or during the entire harness run could be quite useful.