Set audisp plugin filters
Richard Guy Briggs
rgb at redhat.com
Wed Apr 12 15:54:31 UTC 2017
On 2017-04-12 08:28, Eytan Naim wrote:
> Hi,
Hi Eytan,
> I am currently developing an audisp plugin that should be as effective as possible.
> Therefore, I want to set my own set of filtering rules (2-3 syscalls) and I don't want to get any other audit events from the audisp itself, - I assumed it is possible to set my own plugin rules but I couldn't find it in the audit documentation (Linux Audit API) nor any other audisp plugins examples. Is it even possible?
There is only one set of rules.
You may need to add extra functionality to your plugin to do additional
filtering, but I'll defer to Steve who would be better able to advise.
> If not, is it possible to run an auditd of my own in parallel with the original auditd? I assume each auditd can define its own set of audit rules. - Am I right?
At the moment there can only be one audit daemon registered with the kernel at a time.
There are ideas floating around to have more than one audit daemon
running in the future, but that is specifically to support containers
and is most likely to be tied to a single instance per user namespace
with its own ruleset.
I suspect is isn't the answer you were seeking.
> Eytan Naim | SW Engineer
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list