Ok I admit I should know how to do this, but it is evident I do not. On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
I had tried: -d entry,always -S all -F dir=/proc -a exclude,always -F dir=/proc Both of these are ignored. The first makes sense because I guess -d must match exactly a rule already loaded in the kernel. The second is telling me I have an invalid message type, but I can't seem to find the valid message types documented in the man pages. Other systemcalls which are audited are open, fopen, chown, chattr, etc. I am trying to prevent auditing of the open syscall on /proc/... because there are a lot of them, and it is not a requirement. Kevin
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
