On Tuesday, October 20, 2020 4:59:56 AM EDT MAUPERTUIS, PHILIPPE wrote: > Aide or clamscan are analyzing all the files on the system thus generating > a lot of messages They are binaries that I can trust so I can exclude > their activity from auditd. I know that I can do this with -a never,exit > -F arch=b64 -F exe=/sbin/aide > > However I would like to have an entry for the execution of the binary > itself with the parameters used. I would like to turn off only the report > of the syscall it issued . > > Is there a general way to achieve that : record the launch of a binary but > not its actions.
Wouldn't -a always,exit -S execve do the job? -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
