I am required to Audit the following:
chmod
chown
rename
delete
This is causing a lot of entries to the audit log from programs like Opera. I am trying to find out how to exclude programs from the Audit log.
From the man page audit.rules:
Rules on the exit filter are much more common and all fields are available for use at syscall exit.
I have tried the following, but just get “There was an error in line”
-a exit,never -F comm=“opera”
I tried adding -F arch=b32 and 64. I tried adding a SYSCALL but I continue to get “There was an error in line” When the rule has -F comm=.
I did a test and found that you do not need a SYSCALL on a rule, by deleting everything after arch=bxx.
-a exit,never -F arch=b32
-a exit,never -F arch=b64
The system took it and filtered everything out of the log.
I have tried exe= but got the same problem.
comm=“cat”
The comm field records the command-line name of the command that was used to invoke the analyzed process. In
this case, the cat command was used to trigger this Audit event.
exe="/bin/cat"
The exe field records the path to the executable that was used to invoke the analyzed process.
Does anyone know enough about audit to tell me how to write an exclude filter for programs? Am am getting the same error on 13.2 and 42.1. Thank you.
Dave W