Help with drop_event

We are just starting to play around with drop_event filtering. Auditd rules are not great at filtering so drop_event is going to serve us well.

Right now we are stuck with a nesting example and want to know what is possible. Any suggestions are appreciated

processors:
    - drop_event.when.and:
      - regexp.tags: redacted
      - or:
        - equals.process.executable: /opt/Tools/redacted
        - equals.process.executable: /usr/sbin/redacted2
          - or:
            - equals.auditd.data.syscall: unlink
            - equals.auditd.data.syscall: rename

Right now, the first and + or statements work. For the second or statement, this is what's not accepted. We want the syscalls to be matched only when the second executable is matched.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.