Re: Selective Audit; filtering on message type; integration of operators
Exclude messages within range:
auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
While it think its handy to be able to specify multiple types
easily, supporting ranges like this doesn't seem like a good
idea to me. If new types are added in the future within the range,
an admin might be excluding more than intended without even knowing,
and if the values of these definitions ever change, the rule might
not even make sense.
Exclude messages using auditctl helper terms (ALL_DAEMON interpreted
by
auditctl to be a range of 1200-1299 as specified in the audit.h header):
auditctl -a exclude,always -F "type=ALL_DAEMON"
I like this approach better. Maybe you could have ALL_SYSCALL,
which includes AUDIT_SYSCALL, AUDIT_CWD, AUDIT_PATH, and whatever
else comes with syscall auditing, regardless of what the values are.
-- ljk
PS I'm still cleaning up a backlog of mail so my apologies if this
has already been discussed in mail I haven't read yet.