Ok I admit I should know how to do this, but it is evident I do not.

 

On RHEL 5.11, what is the correct way for me to not audit anything in /proc?

 

I had tried:

-d entry,always –S all –F dir=/proc

-a exclude,always –F dir=/proc

 

Both of these are ignored.  The first makes sense because I guess –d must match exactly a rule already loaded in the kernel.

The second is telling me I have an invalid message type, but I can’t seem to find the valid message types documented in the man pages.

 

Other systemcalls which are audited are open, fopen, chown, chattr, etc.

I am trying to prevent auditing of the open syscall on /proc/… because there are a lot of them, and it is not a requirement.

 

Kevin