Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to make multiple syscalls for action rules #7

Open
isuftin opened this issue Nov 13, 2020 · 0 comments
Open

Add ability to make multiple syscalls for action rules #7

isuftin opened this issue Nov 13, 2020 · 0 comments

Comments

@isuftin
Copy link
Contributor

isuftin commented Nov 13, 2020

Proposed feature

Add ability to have a rule written out such as -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

According to the documentation @ https://linux.die.net/man/7/audit.rules this is a valid format.

Currently this doesn't seem to be a thing @ https://github.com/robertdebock/ansible-role-auditd/blob/master/templates/custom.rules.j2#L20

I can do something like:

      - syscall: 'chmod -S fchmod -S fchmodat' 
        action: always
        filter: exit
        filters:
          - auid>=500
          - auid!=4294967295
        keyname: perm_mod

But it would be good to be able to accept either a string or list of strings for the syscall

Rationale

I am not blocked as I am able to work around it as shown above but a feature like this would be convenient
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@isuftin