RFE: allow audit-by-executable-name not equal operator

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

140 stars 37 forks source link

RFE: allow audit-by-executable-name not equal operator #53

Closed rgbriggs closed 5 years ago

rgbriggs commented 7 years ago

Upstream added audit-by-executable-name filtering using the exe= filter. 34d99af52ad4 ("audit: implement audit by executable")

Add negation to the operator options.

pcmoore commented 7 years ago

Related mailing list discussion:

https://www.redhat.com/archives/linux-audit/2017-June/msg00029.html

WOnder93 commented 6 years ago

@pcmoore This seems like a good task to start with, can you assign me? :)

But I'll probably need some hints here... I looked at the code briefly and I'm not really sure what needs to be changed to get this working. I will take a closer look later and try to come back with some concrete questions.

pcmoore commented 6 years ago

@pcmoore This seems like a good task to start with, can you assign me? :)

Its is all yours now :)

But I'll probably need some hints here... I looked at the code briefly and I'm not really sure what needs to be changed to get this working. I will take a closer look later and try to come back with some concrete questions.

No problem, I'll wait for your questions, but if you would prefer a quick overview first let me know.

pcmoore commented 6 years ago

Quick summary of the various patches.

The v2 kernel patch:

https://www.redhat.com/archives/linux-audit/2018-April/msg00021.html

... the userspace patch:

https://github.com/linux-audit/audit-userspace/pull/45

... and the audit-testsuite patch:

https://github.com/linux-audit/audit-testsuite/pull/67

rgbriggs commented 5 years ago

Upstream since 4.18-rc1 23bcc48 ("audit: allow not equal op for audit by executable")