Hi, Using the Linux kernel audit system I audit program executions with the following audit rule.
-w /usr/sbin/my-program -p x -k my-program-audit-class In order to keep the audit log clean I want to suppress executions of my-program if done by a defined set of applications given their path. Since the PPID is available in the audit log entry (type=SYSCALL), there might be some means to filter out by parent program path at the time the audit log is generated, however, I cannot find a solution, also not by looking at audit_filter_rules(). Introducing helper scripts to clean up audit.log by filtering out later on as well as distinguishing by user/group, security context are not my preferred options. Thank you, Simon -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
