Re: Exclude Watched Items
On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
Ok I admit I should know how to do this, but it is evident I do not.
On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
I had tried:
-d entry,always -S all -F dir=/proc
-a exclude,always -F dir=/proc
Both of these are ignored. The first makes sense because I guess -d
must match exactly a rule already loaded in the kernel.
"-d" says delete the rule. (I think the entry list is deprecated.)
The second is telling me I have an invalid message type, but I
can't
seem to find the valid message types documented in the man pages.
The exclude list only supports "-F msgtype=" on anything that old.
More types are supported upstream and only very recent RHEL7.
Other systemcalls which are audited are open, fopen, chown, chattr,
etc.
I am trying to prevent auditing of the open syscall on /proc/...
because there are a lot of them, and it is not a requirement.
How about "-a exit,never -F dir=/proc"?
Kevin
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635