Ordered early exit match=verdirct decision lists 0 ▲ My blog_title_here 4 hours ago · Tech · hide · 0 comments While updating an old hacky audit-follow script to do more long-term monitoring recently, found that I wanted to add a filtering mini-language/DSL there, and after trying a couple options with having blacklist/whitelist and such, quickly arrived at using a seemingly unnamed but somewhat popular list type for this again. Something that looks like this: - apparmor=DENIED && profile~!/^chromium(-.*)?/ # drop common noise + uid=myuser # include everything with this parameter - auid=myuser && uid=root - e/type=LOGIN .* res=yes/ && proctitle="/usr/bin/cron -f" Ignoring actual matching syntax after initial +/-, this seem to be a rather common structure for filtering rules, similar to firewall rules or rsync filters, and often simplest, most intuitive and easy to work with. Idea is that for every filtered entity, e.g. auditing event in this case (or packet in case of firewall, file/dir path in rsync), you go over all rules top-to-bottom, and stop at first one that matches, issuing verdict… No comments yet. Log in to reply on the Fediverse. Comments will appear here.