Hello,
On Tuesday, July 30, 2019 8:18:41 AM EDT 杨海 wrote:
Thanks for the suggestion on read/write. I have two more questions
which I
haven't figured out.
1) Does auditctl rules support regular expressions?
For some params, it is not easy to filter specific messages using “=” or
"!=".
No. Most things inside the kernel are numbers. Text is a human convenience.
2) In message payload, some fields are not what we care about. Any
way we can reduce the fields/params in audit log?
By default, no. You could patch auditd to do so if its really necessary.
-Steve