Difference between BITMAP_EXECUTABLE_PATH and BITMAP_EXCLUDE_EXTEND flags

Difference between BITMAP_EXECUTABLE_PATH and BITMAP_EXCLUDE_EXTEND flags

[Avtansh Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 237 bytes --]

Hello All,

Please could you help me understand the difference between the following
flags which are being used?

AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND

-- 
*Regards,*

*Avtansh Gupta*
*+91 8743068185*

[-- Attachment #1.2: Type: text/html, Size: 646 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Difference between BITMAP_EXECUTABLE_PATH and BITMAP_EXCLUDE_EXTEND flags

[Steve Grubb]

On Monday, January 16, 2023 11:15:46 AM EST Avtansh Gupta wrote:
> Hello All,
> 
> Please could you help me understand the difference between the following
> flags which are being used?
> 
> AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH

This ^^^ means the kernel supports -F exe=  in the rules.
https://listman.redhat.com/archives/linux-audit/2015-August/010585.html

> AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND

This ^^^ means that the exclude filter supports many more kinds of fields than 
the original design allowed for. 
https://listman.redhat.com/archives/linux-audit/2016-June/011433.html

For upstream kernels and ones derived after it was release, the second 
implies the first one is already included.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit