Re: Set audisp plugin filters
On Wed, Apr 12, 2017 at 4:28 AM, Eytan Naim <eytan.naim(a)imperva.com> wrote:
Hi,
I am currently developing an audisp plugin that should be as effective as possible.
Therefore, I want to set my own set of filtering rules (2-3 syscalls) and I don't
want to get any other audit events from the audisp itself, - I assumed it is possible to
set my own plugin rules but I couldn’t find it in the audit documentation (Linux Audit
API) nor any other audisp plugins examples. Is it even possible?
If not, is it possible to run an auditd of my own in parallel with the original auditd? I
assume each auditd can define its own set of audit rules. – Am I right?
I'll let Steve Grubb respond with respect to the audit dispatcher, but
as far as the audit daemon is concerned you can currently only run one
instance at a time and only one set of audit filter rules that apply
to the entire system.
--
paul moore
www.paul-moore.com