From 0e2762ca6e379fd1130e1cd8b93cf971c719abfb Mon Sep 17 00:00:00 2001
From: Tim Herren <tim.herren@gmx.ch>
Date: Mon, 20 Sep 2021 17:12:30 +0200
Subject: [PATCH] add config option for global filters

---
 README.md                 | 6 ++++++
 templates/custom.rules.j2 | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 21326e0..4ce58ef 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,12 @@ auditd_custom_rules:
       - arch=b64
     executable: /bin/id
     comment: execution_bin_id
+  # define general filter rule
+  - type: global_filter
+    action: always,exit
+    filters:
+      - dir=/opt/application
+      - perm=wa
 ```
 
 All the configurations for the audit daemon are configurable as variables. See `defaults/main.yaml` for more details.
diff --git a/templates/custom.rules.j2 b/templates/custom.rules.j2
index c668c2c..a19cdfe 100644
--- a/templates/custom.rules.j2
+++ b/templates/custom.rules.j2
@@ -21,5 +21,8 @@
 {% if rule.type == 'executable' %}
 -a {{ rule.action }} -F exe={{ rule.executable }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %} -S execve -k {{ rule.comment }}
 {% endif %}
+{% if rule.type == 'global_filter' %}
+-a {{ rule.action }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %}
+{% endif %}
 {% endfor %}
 {% endif %}