Exclude Watched Items
Boyce, Kevin P [US] (AS)
Kevin.Boyce at ngc.com
Mon May 15 21:08:33 UTC 2017
Ok I admit I should know how to do this, but it is evident I do not.
On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
I had tried:
-d entry,always -S all -F dir=/proc
-a exclude,always -F dir=/proc
Both of these are ignored. The first makes sense because I guess -d must match exactly a rule already loaded in the kernel.
The second is telling me I have an invalid message type, but I can't seem to find the valid message types documented in the man pages.
Other systemcalls which are audited are open, fopen, chown, chattr, etc.
I am trying to prevent auditing of the open syscall on /proc/... because there are a lot of them, and it is not a requirement.
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170515/d4b382b4/attachment.htm>
More information about the Linux-audit
mailing list