Hello, On Tuesday, July 30, 2019 8:18:41 AM EDT 杨海 wrote: > Thanks for the suggestion on read/write. I have two more questions which I > haven't figured out. > 1) Does auditctl rules support regular expressions? > For some params, it is not easy to filter specific messages using “=” or > "!=".
No. Most things inside the kernel are numbers. Text is a human convenience. > 2) In message payload, some fields are not what we care about. Any > way we can reduce the fields/params in audit log? By default, no. You could patch auditd to do so if its really necessary. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
