Selective Audit; filtering on message type; integration of operators

[Debora Velarde]

> --
> 
> USER_SPACE
> 
> From a user-experience perspective, we're trying to enable a user to
> exclude messages of a certain type (or ranges of messages of particular
> types).  If you're unclear what types of messages are currently defined,
> see include/linux/audit.h.  Given extended support for ranges and
> comparative operators, this should be extensible to other audit record
> keys, such the user, subject, etc.
> 
> I'm suggesting the ability to add new rules via auditctl to a new list,
> perhaps called "exclude".  The proposed interface would look like:
> 
> Exclude messages of a specific type:
>    auditctl -a exclude,always -F "type=AUDIT_IPC"
> 
> Exclude messages within range:
> auditctl -a exclude,always -F "type=AUDIT_SYSCALL..AUDIT_CWD"
> 
> Exclude messages using auditctl helper terms (ALL_DAEMON interpreted by
> auditctl to be a range of 1200-1299 as specified in the audit.h header):
> auditctl -a exclude,always -F "type=ALL_DAEMON"
> 
> Use multiple rules to exclude audit system command messages:
> auditctl -a exclude,always -F "type<1100"
> 
> Also, the same form should be usable for other parameters as well, such
> as uid, pid, etc.
> auditctl -a exclude,always -F "uid<500"
> auditctl -a exclude,always -F "pid=464"
> 
> 

I like the new 'exclude' list idea.
We can currently select to never audit with the use of the action 'never'. 
 Such as "auditctl -a exit,never -F pid=464"
If we add an 'exclude' list then it seems like we would no longer need the 
'never' action.

I think 'auditctl -a exclude,always -F pid=464' is less confusing than the 
user having to figure out if they only need one or all of the following:
auditctl -a exit,never -F pid=464
auditctl -a entry,never -F pid=464
auditctl -a task,never -F pid=464
auditctl -a user,never -F pid=464