On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote: > Ok I admit I should know how to do this, but it is evident I do not. > > On RHEL 5.11, what is the correct way for me to not audit anything in /proc? > > I had tried: > -d entry,always -S all -F dir=/proc > -a exclude,always -F dir=/proc > > Both of these are ignored. The first makes sense because I guess -d > must match exactly a rule already loaded in the kernel.
"-d" says delete the rule. (I think the entry list is deprecated.) > The second is telling me I have an invalid message type, but I can't > seem to find the valid message types documented in the man pages. The exclude list only supports "-F msgtype=" on anything that old. More types are supported upstream and only very recent RHEL7. > Other systemcalls which are audited are open, fopen, chown, chattr, etc. > I am trying to prevent auditing of the open syscall on /proc/... > because there are a lot of them, and it is not a requirement. How about "-a exit,never -F dir=/proc"? > Kevin - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
