Hi Steve,

Thanks for the suggestion on read/write. I have two more questions which I haven't figured out.
1) Does auditctl rules support regular expressions? For some params, it is not easy to filter specific messages using “=” or "!=".
2) In message payload, some fields are not what we care about. Any way we can reduce the fields/params in audit log?

Regards
Hai
 
 
------------------ Original ------------------
Date:  Thu, Jul 25, 2019 10:51 PM
To:  "杨海"<hai.yang@magic-shield.com>;
Cc:  "linux-audit"<linux-audit@redhat.com>;
Subject:  Re: How to filter PROCTITLE events
 
On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?

Technically you could suppress them. In practice, it's not feasible. You
would need to have application specific rules to suppress. The more rules you
have the more performance you lose.

But I would start by questioning whether you really need to monitor reads and
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed
that the file was written to?

-Steve