[PATCH] Audit filter rule operators (0/2)

[Dustin Kirkland]

Hi-

Currently, audit only supports the "=" and "!=" operators in the -F
filter rules.

These two patches rework the support for "=" and "!=", and add support
for ">", ">=", "<", and "<=".

This turned out to be a pretty clean, and simply process.  I ended up
using the high order bits of the "field", as suggested by Steve and Amy.
This allowed for no changes whatsoever to the netlink communications.
See the documentation within the patch in the include/linux/audit.h
area, where there is a table that explains the reasoning of the bitmask
assignments clearly.

There are two pieces to this patch.

The first is user space.  The second is kernel space.

I'll briefly describe those changes in the following emails with the
code.

The interface looks something like this....

Audit all ipc messages by normal users
	auditctl -a exit,always -S ipc -F "uid>=500"

Audit all opens by any user except for user 501:
	auditctl -a exit,always -S open -F "uid>=0" -F "uid!=501"

and so on...


:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051021/187afa35/attachment.sig>