Re: Selective Audit; filtering on message type; integration of operators

-- USER_SPACE From a user-experience perspective, we're trying to enable a user to exclude messages of a certain type (or ranges of messages of particular types). If you're unclear what types of messages are currently defined, see include/linux/audit.h. Given extended support for ranges and comparative operators, this should be extensible to other audit record keys, such the user, subject, etc. I'm suggesting the ability to add new rules via auditctl to a new list, perhaps called "exclude". The proposed interface would look like: Exclude messages of a specific type: auditctl -a exclude,always -F "type=AUDIT_IPC" Exclude messages within range: auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD" Exclude messages using auditctl helper terms (ALL_DAEMON interpreted by auditctl to be a range of 1200-1299 as specified in the audit.h header): auditctl -a exclude,always -F "type=ALL_DAEMON" Use multiple rules to exclude audit system command messages: auditctl -a exclude,always -F "type<1100" Also, the same form should be usable for other parameters as well, such as uid, pid, etc. auditctl -a exclude,always -F "uid<500" auditctl -a exclude,always -F "pid=464"