* Identify whether the kernel version supports Path based exclusion
@ 2023-01-10 12:08 Anurag Aggarwal
2023-01-10 14:55 ` Casey Schaufler
2023-01-10 15:15 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: Anurag Aggarwal @ 2023-01-10 12:08 UTC (permalink / raw)
To: Linux-audit; +Cc: avtanshgupta1995
[-- Attachment #1.1: Type: text/plain, Size: 399 bytes --]
Hello All,
I need a method to identify whether the audid version a kernel is running
supports path based exclusions.
One option would be to use audit_add_rule_data to add a temporary path
based rule and check if it is successful, but this won't work when auditd
is running in immutable mode.
Any other way which does not require checking versions of Kernel or
Distribution?
--
Anurag Aggarwal
[-- Attachment #1.2: Type: text/html, Size: 626 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Identify whether the kernel version supports Path based exclusion
2023-01-10 12:08 Identify whether the kernel version supports Path based exclusion Anurag Aggarwal
@ 2023-01-10 14:55 ` Casey Schaufler
2023-01-10 15:15 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2023-01-10 14:55 UTC (permalink / raw)
To: Anurag Aggarwal, Linux-audit; +Cc: avtanshgupta1995
On 1/10/2023 4:08 AM, Anurag Aggarwal wrote:
> Hello All,
>
> I need a method to identify whether the audid version a kernel is
> running supports path based exclusions.
% cat /sys/kernel/security/lsm
This will tell you what security modules are in use. Check whether
any of the modules that use path based controls (AppArmor, TOMOYO)
are in the list.
>
> One option would be to use audit_add_rule_data to add a temporary path
> based rule and check if it is successful, but this won't work when
> auditd is running in immutable mode.
>
>
> Any other way which does not require checking versions of Kernel or
> Distribution?
>
> --
> Anurag Aggarwal
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Identify whether the kernel version supports Path based exclusion
2023-01-10 12:08 Identify whether the kernel version supports Path based exclusion Anurag Aggarwal
2023-01-10 14:55 ` Casey Schaufler
@ 2023-01-10 15:15 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2023-01-10 15:15 UTC (permalink / raw)
To: Linux-audit, linux-audit; +Cc: avtanshgupta1995
Hello,
On Tuesday, January 10, 2023 7:08:12 AM EST Anurag Aggarwal wrote:
> I need a method to identify whether the audid version a kernel is running
> supports path based exclusions.
It's not dependant on auditd. The kernel itself decides if a rule is valid.
> One option would be to use audit_add_rule_data to add a temporary path
> based rule and check if it is successful, but this won't work when auditd
> is running in immutable mode.
>
> Any other way which does not require checking versions of Kernel or
> Distribution?
If you are looking to see if this is supported
-a always,exclude -F exec=/usr/bin/ls
then it can be detected by:
uint32_t features = audit_get_features();
if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0)
puts("not supported");
else
puts("supported");
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-10 15:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-10 12:08 Identify whether the kernel version supports Path based exclusion Anurag Aggarwal
2023-01-10 14:55 ` Casey Schaufler
2023-01-10 15:15 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).