On Tuesday, October 20, 2020 4:59:56 AM EDT MAUPERTUIS, PHILIPPE wrote:
Aide or clamscan are analyzing all the files on the system thus
generating
a lot of messages They are binaries that I can trust so I can exclude
their activity from auditd. I know that I can do this with -a never,exit
-F arch=b64 -F exe=/sbin/aide
However I would like to have an entry for the execution of the binary
itself with the parameters used. I would like to turn off only the report
of the syscall it issued .
Is there a general way to achieve that : record the launch of a binary but
not its actions.
Wouldn't -a always,exit -S execve do the job?
-Steve