Hello,
On Tuesday, January 10, 2023 7:08:12 AM EST Anurag Aggarwal wrote:
> I need a method to identify whether the audid version a kernel is running
> supports path based exclusions.
It's not dependant on auditd. The kernel itself decides if a rule is valid.
> One option would be to use audit_add_rule_data to add a temporary path
> based rule and check if it is successful, but this won't work when auditd
> is running in immutable mode.
>
> Any other way which does not require checking versions of Kernel or
> Distribution?
If you are looking to see if this is supported
-a always,exclude -F exec=/usr/bin/ls
then it can be detected by:
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0)
puts("not supported");
else
puts("supported");
-Steve
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
