I need a method to identify whether the audid version a kernel is running supports path based exclusions.
One option would be to useĀ audit_add_rule_data to add a temporary path based rule and check if it is successful, but this won't work when auditd is running in immutable mode.
Any other way which does not require checking versions of Kernel or Distribution?
--
Anurag Aggarwal