File Monitoring

Monday, 24 July 2006

I am monitoring open syscalls on /etc/shadow and am receiving alerts 
that I would like to suppress.  Is it possible to exclude alerts for 
files opened with particular commands?  For example, xlock opening the 
shadow file?  I didn't see an option like this in the auditctl man page, 
but I know those pages may be outdated.

Thanks,
Steve

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004