Re: How to filter PROCTITLE events
On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
Hi
I am looking for the method to filter the PROCTITLE events via auditctl.
It is said we can do it, but I could not figure out how.
Did you read about the exclude filter? :-)
"The proctitle event is emitted during syscall audits, and can
be filtered
with auditctl."
-a always,exclude -F msgtype=PROCTITLE
There is another example in the 20-dont-audit.rules file.
-Steve