How to filter PROCTITLE events
杨海
hai.yang at magic-shield.com
Tue Jul 30 12:18:41 UTC 2019
Hi Steve,
Thanks for the suggestion on read/write. I have two more questions which I haven't figured out.
1) Does auditctl rules support regular expressions? For some params, it is not easy to filter specific messages using “=” or "!=".
2) In message payload, some fields are not what we care about. Any way we can reduce the fields/params in audit log?
Regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb at redhat.com>;
Date: Thu, Jul 25, 2019 10:51 PM
To: "杨海"<hai.yang at magic-shield.com>;
Cc: "linux-audit"<linux-audit at redhat.com>;
Subject: Re: How to filter PROCTITLE events
On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?
Technically you could suppress them. In practice, it's not feasible. You
would need to have application specific rules to suppress. The more rules you
have the more performance you lose.
But I would start by questioning whether you really need to monitor reads and
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed
that the file was written to?
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190730/99fc7507/attachment.htm>
More information about the Linux-audit
mailing list