Any update on this Steve? The other ignore rules seem to work, just not that one.
Thanks,
Max
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: 21 December 2011 19:25
To: linux-audit(a)redhat.com
Cc: Max Williams
Subject: Re: Path ignored but syscall event still logged
On Wednesday, December 21, 2011 07:17:01 AM Max Williams wrote:
Sorry, forgot to include that!
[root@host1 ~]# uname -r
2.6.32-131.21.1.el6.x86_64
[root@host1 ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=0 pid=24173 rate_limit=0
backlog_limit=8192
lost=124822501 backlog=0
Initial assessment, the kernel patch that discards events might only work on open(2). Eric
is looking to see if this can be safely broadened.
-Steve
On Tuesday, December 20, 2011 12:55:49 PM Max Williams wrote:
> How come this event is not ignored due to the 8th rule? I think I'm
> missing something.
One piece of information is missing. The enforcement of the audit
policy is done by the kernel. What do you get for uname -r?
-Steve
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________