Set audisp plugin filters
Paul Moore
paul at paul-moore.com
Wed Apr 12 15:56:29 UTC 2017
On Wed, Apr 12, 2017 at 4:28 AM, Eytan Naim <eytan.naim at imperva.com> wrote:
> Hi,
>
> I am currently developing an audisp plugin that should be as effective as possible.
>
> Therefore, I want to set my own set of filtering rules (2-3 syscalls) and I don't want to get any other audit events from the audisp itself, - I assumed it is possible to set my own plugin rules but I couldn’t find it in the audit documentation (Linux Audit API) nor any other audisp plugins examples. Is it even possible?
>
> If not, is it possible to run an auditd of my own in parallel with the original auditd? I assume each auditd can define its own set of audit rules. – Am I right?
I'll let Steve Grubb respond with respect to the audit dispatcher, but
as far as the audit daemon is concerned you can currently only run one
instance at a time and only one set of audit filter rules that apply
to the entire system.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list