Hello, Aide or clamscan are analyzing all the files on the system thus generating a lot of messages They are binaries that I can trust so I can exclude their activity from auditd. I know that I can do this with -a never,exit -F arch=b64 -F exe=/sbin/aide
However I would like to have an entry for the execution of the binary itself with the parameters used. I would like to turn off only the report of the syscall it issued . Is there a general way to achieve that : record the launch of a binary but not its actions. Thanks Philippe Worldline and equensWorldline are registered trademarks and trading names owned by the Worldline Group. This e-mail and any documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Worldline and its subsidiaries therefore cannot accept liability for any errors in their content. Although Worldline endeavours to maintain a virus-free network, we do not warrant that this e-mail is virus-free and cannot accept liability for any damages resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail.
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
