On Tuesday, May 16, 2017 8:54:40 AM EDT Boyce, Kevin P [US] (AS) wrote: > I'll give that a shot. How do I find out what the supported message types > are?
ausearch -m x This will cause ausearch to output an error message that describes the supported types. -Steve > -----Original Message----- > From: Richard Guy Briggs [mailto:[email protected]] > Sent: Monday, May 15, 2017 11:23 PM > To: Boyce, Kevin P [US] (AS) <[email protected]> > Cc: [email protected] > Subject: EXT :Re: Exclude Watched Items > > On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote: > > Ok I admit I should know how to do this, but it is evident I do not. > > > > On RHEL 5.11, what is the correct way for me to not audit anything in > > /proc? > > > > I had tried: > > -d entry,always -S all -F dir=/proc > > -a exclude,always -F dir=/proc > > > > Both of these are ignored. The first makes sense because I guess -d > > must match exactly a rule already loaded in the kernel. > > "-d" says delete the rule. (I think the entry list is deprecated.) > > > The second is telling me I have an invalid message type, but I can't > > seem to find the valid message types documented in the man pages. > > The exclude list only supports "-F msgtype=" on anything that old. > > More types are supported upstream and only very recent RHEL7. > > > Other systemcalls which are audited are open, fopen, chown, chattr, etc. > > I am trying to prevent auditing of the open syscall on /proc/... > > because there are a lot of them, and it is not a requirement. > > How about "-a exit,never -F dir=/proc"? > > > Kevin > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, > Red Hat Canada IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
