Re: Difference between BITMAP_EXECUTABLE_PATH and BITMAP_EXCLUDE_EXTEND flags
On Monday, January 16, 2023 11:15:46 AM EST Avtansh Gupta wrote:
Hello All,
Please could you help me understand the difference between the following
flags which are being used?
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
This ^^^ means the kernel supports -F exe= in the rules.
https://listman.redhat.com/archives/linux-audit/2015-August/010585.html
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
This ^^^ means that the exclude filter supports many more kinds of fields than
the original design allowed for.
https://listman.redhat.com/archives/linux-audit/2016-June/011433.html
For upstream kernels and ones derived after it was release, the second
implies the first one is already included.
-Steve