How to filter PROCTITLE events
Steve Grubb
sgrubb at redhat.com
Tue Jul 30 12:29:24 UTC 2019
Hello,
On Tuesday, July 30, 2019 8:18:41 AM EDT 杨海 wrote:
> Thanks for the suggestion on read/write. I have two more questions which I
> haven't figured out.
> 1) Does auditctl rules support regular expressions?
> For some params, it is not easy to filter specific messages using “=” or
> "!=".
No. Most things inside the kernel are numbers. Text is a human convenience.
> 2) In message payload, some fields are not what we care about. Any
> way we can reduce the fields/params in audit log?
By default, no. You could patch auditd to do so if its really necessary.
-Steve
More information about the Linux-audit
mailing list