EXT :Re: Exclude Watched Items

[Steve Grubb]

On Tuesday, May 16, 2017 8:54:40 AM EDT Boyce, Kevin P [US] (AS) wrote:
> I'll give that a shot.  How do I find out what the supported message types
> are?

ausearch -m x

This will cause ausearch to output an error message that describes the 
supported types.

-Steve

> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb at redhat.com]
> Sent: Monday, May 15, 2017 11:23 PM
> To: Boyce, Kevin P [US] (AS) <Kevin.Boyce at ngc.com>
> Cc: linux-audit at redhat.com
> Subject: EXT :Re: Exclude Watched Items
> 
> On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> > Ok I admit I should know how to do this, but it is evident I do not.
> > 
> > On RHEL 5.11, what is the correct way for me to not audit anything in
> > /proc?
> > 
> > I had tried:
> > -d entry,always -S all -F dir=/proc
> > -a exclude,always -F dir=/proc
> > 
> > Both of these are ignored.  The first makes sense because I guess -d
> > must match exactly a rule already loaded in the kernel.
> 
> "-d" says delete the rule.  (I think the entry list is deprecated.)
> 
> > The second is telling me I have an invalid message type, but I can't
> > seem to find the valid message types documented in the man pages.
> 
> The exclude list only supports "-F msgtype=" on anything that old.
> 
> More types are supported upstream and only very recent RHEL7.
> 
> > Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> > I am trying to prevent auditing of the open syscall on /proc/...
> > because there are a lot of them, and it is not a requirement.
> 
> How about "-a exit,never -F dir=/proc"?
> 
> > Kevin
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa,
> Red Hat Canada IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit