RFE: extend executable name filter to user, task, exclude

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

140 stars 37 forks source link

RFE: extend executable name filter to user, task, exclude #54

Closed rgbriggs closed 5 years ago

rgbriggs commented 7 years ago

Currently, the filter on executable file name is limited to the exit filter. Was there a good reason to limit it to this filter and can it be extended for use by user, task and exclude filters?

... audit_field_valid(...) { ... switch(f->type) { ... case AUDIT_EXE: ... if (entry->rule.listnr != AUDIT_FILTER_EXIT) return -EINVAL;

WOnder93 commented 6 years ago

Kernel patch submitted: https://www.redhat.com/archives/linux-audit/2018-April/msg00114.html

Userspace support: https://github.com/linux-audit/audit-userspace/pull/48

Test suite patch: https://github.com/linux-audit/audit-testsuite/pull/68

rgbriggs commented 6 years ago

I had a quick look at the userspace and testsuite patches and I don't have any concerns.

pcmoore commented 6 years ago

See the audit-userspace PR, we need a positive nod from Steve before I'm going to merge the kernel piece.

rgbriggs commented 5 years ago

Upstream since 4.19-rc1 29c1372 ("audit: allow other filter list types for AUDIT_EXE")