ausearch: add option to exclude by message type

linux-audit / audit-userspace

Linux audit userspace repository

GNU General Public License v2.0

567 stars 201 forks source link

ausearch: add option to exclude by message type #346

Open cgzones opened 5 months ago

cgzones commented 5 months ago

Similar to the existing option -m, which searches by the given message type(s), add the option -M to exclude by the given message type(s).

stevegrubb commented 5 months ago

We could search by negating virtually any of the search criteria. I wonder if it would be more useful to add --negate and do it to everything? Is there a practical use to removing just one particular event type and selecting all others?

Also, -m supports lists. ausearch -m DAEMON_START,DAEMON_END,SYSTEM_BOOT,SYSTEM_SHUTDOWN,SYSTEM_RUNLEVEL,SERVICE_START,SERVICE_STOP

Would the -M option do the same thing?

cgzones commented 5 months ago

Also, -m supports lists. ausearch -m DAEMON_START,DAEMON_END,SYSTEM_BOOT,SYSTEM_SHUTDOWN,SYSTEM_RUNLEVEL,SERVICE_START,SERVICE_STOP Would the -M option do the same thing?

Yes, since it reuses the same parsing logic.

Is there a practical use to removing just one particular event type and selecting all others?

It seems useful while already filtering by a custom key, to reduce the shown events.