add config option for global filters
This commit is contained in:
Tim Herren
@@ -150,6 +150,12 @@ auditd_custom_rules:
|
|||||||
- arch=b64
|
- arch=b64
|
||||||
executable: /bin/id
|
executable: /bin/id
|
||||||
comment: execution_bin_id
|
comment: execution_bin_id
|
||||||
|
# define general filter rule
|
||||||
|
- type: global_filter
|
||||||
|
action: always,exit
|
||||||
|
filters:
|
||||||
|
- dir=/opt/application
|
||||||
|
- perm=wa
|
||||||
```
|
```
|
||||||
|
|
||||||
All the configurations for the audit daemon are configurable as variables. See `defaults/main.yaml` for more details.
|
All the configurations for the audit daemon are configurable as variables. See `defaults/main.yaml` for more details.
|
||||||
|
|||||||
@@ -21,5 +21,8 @@
|
|||||||
{% if rule.type == 'executable' %}
|
{% if rule.type == 'executable' %}
|
||||||
-a {{ rule.action }} -F exe={{ rule.executable }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %} -S execve -k {{ rule.comment }}
|
-a {{ rule.action }} -F exe={{ rule.executable }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %} -S execve -k {{ rule.comment }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if rule.type == 'global_filter' %}
|
||||||
|
-a {{ rule.action }}{% if rule.filters is defined %}{% for filter in rule.filters %} -F {{ filter }}{% endfor %}{% endif %}
|
||||||
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
Reference in New Issue
Block a user