Re: How to filter PROCTITLE events
Thanks Steve. It works :-)
Meanwhile, for read/write system call, if they belongs to same pid and same fd, we are
trying to suppress them into one msg. I guess it would not be able to filter using
auditctl, is that right?
Regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb(a)redhat.com>;
Date: Wed, Jul 24, 2019 08:14 PM
To: "linux-audit"<linux-audit(a)redhat.com>;
Cc: "杨海"<hai.yang(a)magic-shield.com>;
Subject: Re: How to filter PROCTITLE events
On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
Hi
I am looking for the method to filter the PROCTITLE events via auditctl.
It is said we can do it, but I could not figure out how.
Did you read about the exclude filter? :-)
"The proctitle event is emitted during syscall audits, and can
be filtered
with auditctl."
-a always,exclude -F msgtype=PROCTITLE
There is another example in the 20-dont-audit.rules file.
-Steve
Attachments:
- attachment.html (text/html — 2.0 KB)