On Wed, May 30, 2018 at 4:45 AM Ondrej Mosnacek wrote:
>
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general
2018-06-04 22:41 GMT+02:00 Paul Moore :
> On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek wrote:
>> This patch removes the restriction of the AUDIT_EXE field to only
>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
>> This makes it possible to write rule lists such as:
>>
On Wed, May 30, 2018 at 4:45 AM, Ondrej Mosnacek wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general
On 2018-05-30 10:45, Ondrej Mosnacek wrote:
> This patch removes the restriction of the AUDIT_EXE field to only
> SYSCALL filter and teaches audit_filter to recognize this field.
>
> This makes it possible to write rule lists such as:
>
> auditctl -a exit,always [some general rule]
> #
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or