I am monitoring open syscalls on /etc/shadow and am receiving alerts that I would like to suppress. Is it possible to exclude alerts for files opened with particular commands? For example, xlock opening the shadow file? I didn't see an option like this in the auditctl man page, but I know those pages may be outdated. Thanks, Steve