* How to monitor only when a binary is launched
@ 2020-10-20 8:59 MAUPERTUIS, PHILIPPE
2020-10-20 13:33 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: MAUPERTUIS, PHILIPPE @ 2020-10-20 8:59 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1402 bytes --]
Hello,
Aide or clamscan are analyzing all the files on the system thus generating a lot of messages
They are binaries that I can trust so I can exclude their activity from auditd.
I know that I can do this with -a never,exit -F arch=b64 -F exe=/sbin/aide
However I would like to have an entry for the execution of the binary itself with the parameters used.
I would like to turn off only the report of the syscall it issued .
Is there a general way to achieve that : record the launch of a binary but not its actions.
Thanks
Philippe
Worldline and equensWorldline are registered trademarks and trading names owned by the Worldline Group.
This e-mail and any documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Worldline and its subsidiaries therefore cannot accept liability for any errors in their content. Although Worldline endeavours to maintain a virus-free network, we do not warrant that this e-mail is virus-free and cannot accept liability for any damages resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail.
[-- Attachment #1.2: Type: text/html, Size: 3719 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to monitor only when a binary is launched
2020-10-20 8:59 How to monitor only when a binary is launched MAUPERTUIS, PHILIPPE
@ 2020-10-20 13:33 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-10-20 13:33 UTC (permalink / raw)
To: linux-audit@redhat.com; +Cc: MAUPERTUIS, PHILIPPE
On Tuesday, October 20, 2020 4:59:56 AM EDT MAUPERTUIS, PHILIPPE wrote:
> Aide or clamscan are analyzing all the files on the system thus generating
> a lot of messages They are binaries that I can trust so I can exclude
> their activity from auditd. I know that I can do this with -a never,exit
> -F arch=b64 -F exe=/sbin/aide
>
> However I would like to have an entry for the execution of the binary
> itself with the parameters used. I would like to turn off only the report
> of the syscall it issued .
>
> Is there a general way to achieve that : record the launch of a binary but
> not its actions.
Wouldn't -a always,exit -S execve do the job?
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-20 13:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-20 8:59 How to monitor only when a binary is launched MAUPERTUIS, PHILIPPE
2020-10-20 13:33 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).