How to monitor only when a binary is launched
Steve Grubb
sgrubb at redhat.com
Tue Oct 20 13:33:46 UTC 2020
On Tuesday, October 20, 2020 4:59:56 AM EDT MAUPERTUIS, PHILIPPE wrote:
> Aide or clamscan are analyzing all the files on the system thus generating
> a lot of messages They are binaries that I can trust so I can exclude
> their activity from auditd. I know that I can do this with -a never,exit
> -F arch=b64 -F exe=/sbin/aide
>
> However I would like to have an entry for the execution of the binary
> itself with the parameters used. I would like to turn off only the report
> of the syscall it issued .
>
> Is there a general way to achieve that : record the launch of a binary but
> not its actions.
Wouldn't -a always,exit -S execve do the job?
-Steve
More information about the Linux-audit
mailing list