How to filter PROCTITLE events
杨海
hai.yang at magic-shield.com
Thu Jul 25 05:44:07 UTC 2019
Thanks Steve. It works :-)
Meanwhile, for read/write system call, if they belongs to same pid and same fd, we are trying to suppress them into one msg. I guess it would not be able to filter using auditctl, is that right?
Regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb at redhat.com>;
Date: Wed, Jul 24, 2019 08:14 PM
To: "linux-audit"<linux-audit at redhat.com>;
Cc: "杨海"<hai.yang at magic-shield.com>;
Subject: Re: How to filter PROCTITLE events
On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
> Hi
>
> I am looking for the method to filter the PROCTITLE events via auditctl.
>
> It is said we can do it, but I could not figure out how.
Did you read about the exclude filter? :-)
> "The proctitle event is emitted during syscall audits, and can be filtered
> with auditctl."
-a always,exclude -F msgtype=PROCTITLE
There is another example in the 20-dont-audit.rules file.
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190725/d5af9be5/attachment.htm>
More information about the Linux-audit
mailing list