I'll give that a shot. How do I find out what the supported message types are?
-----Original Message----- From: Richard Guy Briggs [mailto:[email protected]] Sent: Monday, May 15, 2017 11:23 PM To: Boyce, Kevin P [US] (AS) <[email protected]> Cc: [email protected] Subject: EXT :Re: Exclude Watched Items On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote: > Ok I admit I should know how to do this, but it is evident I do not. > > On RHEL 5.11, what is the correct way for me to not audit anything in /proc? > > I had tried: > -d entry,always -S all -F dir=/proc > -a exclude,always -F dir=/proc > > Both of these are ignored. The first makes sense because I guess -d > must match exactly a rule already loaded in the kernel. "-d" says delete the rule. (I think the entry list is deprecated.) > The second is telling me I have an invalid message type, but I can't > seem to find the valid message types documented in the man pages. The exclude list only supports "-F msgtype=" on anything that old. More types are supported upstream and only very recent RHEL7. > Other systemcalls which are audited are open, fopen, chown, chattr, etc. > I am trying to prevent auditing of the open syscall on /proc/... > because there are a lot of them, and it is not a requirement. How about "-a exit,never -F dir=/proc"? > Kevin - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
