我最近一直玩着审计,并试图削减它的一些logging。 这是我的audit.rules条目来loggingexecve
# First rule - delete all -D -a always,exit -F arch=b64 -S execve -a always,exit -F arch=b64 -S vfork -a always,exit -F arch=b64 -S fork 这例如产生以下内容:
type=SYSCALL msg=audit(1384889328.421:128620): arch={redacted} syscall={redacted} success={redacted} exit={redacted} a0={redacted} a1={redacted} a2={redacted} a3={redacted} items={redacted} ppid={redacted} pid={redacted} auid={redacted} uid={redacted} gid={redacted} euid={redacted} suid={redacted} fsuid={redacted} egid={redacted} sgid={redacted} fsgid={redacted} tty={redacted} ses={redacted} comm="{redacted}" exe="{redacted} type=EXECVE msg=audit(1384889328.421:128620): argc={redacted} a0="{redacted}" a1="{redacted}" a2="{redacted}" type=CWD msg=audit(1384889328.421:128620): cwd="{redacted}" type=PATH msg=audit(1384889328.421:128620): item=0 name="/{redacted}" inode={redacted} dev={redacted} mode={redacted} ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1384889328.421:128620): item=1 name=(null) inode={redacted} dev={redacted} mode={redacted} ouid=0 ogid=0 rdev=00:00
我怎么能说我不希望type = PATH被logging? 或者就此而言,任何“types”?
谢谢
-a exclude,never -F msgtype=PATH
该手册介绍了您可以应用的其他filter。
libaudit.h有我find的最好的types列表。