We are just starting to play around with drop_event filtering. Auditd rules are not great at filtering so drop_event is going to serve us well.
Right now we are stuck with a nesting example and want to know what is possible. Any suggestions are appreciated
processors: - drop_event.when.and: - regexp.tags: redacted - or: - equals.process.executable: /opt/Tools/redacted - equals.process.executable: /usr/sbin/redacted2 - or: - equals.auditd.data.syscall: unlink - equals.auditd.data.syscall: rename
Right now, the first and + or statements work. For the second or statement, this is what's not accepted. We want the syscalls to be matched only when the second executable is matched.