EXT :Re: Exclude Watched Items
Boyce, Kevin P [US] (AS)
Kevin.Boyce at ngc.com
Tue May 16 12:54:40 UTC 2017
I'll give that a shot. How do I find out what the supported message types are?
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb at redhat.com]
Sent: Monday, May 15, 2017 11:23 PM
To: Boyce, Kevin P [US] (AS) <Kevin.Boyce at ngc.com>
Cc: linux-audit at redhat.com
Subject: EXT :Re: Exclude Watched Items
On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> Ok I admit I should know how to do this, but it is evident I do not.
>
> On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
>
> I had tried:
> -d entry,always -S all -F dir=/proc
> -a exclude,always -F dir=/proc
>
> Both of these are ignored. The first makes sense because I guess -d
> must match exactly a rule already loaded in the kernel.
"-d" says delete the rule. (I think the entry list is deprecated.)
> The second is telling me I have an invalid message type, but I can't
> seem to find the valid message types documented in the man pages.
The exclude list only supports "-F msgtype=" on anything that old.
More types are supported upstream and only very recent RHEL7.
> Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> I am trying to prevent auditing of the open syscall on /proc/...
> because there are a lot of them, and it is not a requirement.
How about "-a exit,never -F dir=/proc"?
> Kevin
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list