* How to filter PROCTITLE events
@ 2019-07-24 9:27 杨海
2019-07-24 12:14 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-24 9:27 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1.1: Type: text/plain, Size: 254 bytes --]
Hi
I am looking for the method to filter the PROCTITLE events via auditctl.
It is said we can do it, but I could not figure out how.
"The proctitle event is emitted during syscall audits, and can be filtered with auditctl."
Regards
Hai
[-- Attachment #1.1.2: Type: text/html, Size: 1118 bytes --]
[-- Attachment #1.2: 05F306BC@0426F11D.9F24385D.jpg --]
[-- Type: image/jpeg, Size: 13628 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
2019-07-24 9:27 How to filter PROCTITLE events 杨海
@ 2019-07-24 12:14 ` Steve Grubb
2019-07-25 5:44 ` 杨海
0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2019-07-24 12:14 UTC (permalink / raw)
To: linux-audit
On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
> Hi
>
> I am looking for the method to filter the PROCTITLE events via auditctl.
>
> It is said we can do it, but I could not figure out how.
Did you read about the exclude filter? :-)
> "The proctitle event is emitted during syscall audits, and can be filtered
> with auditctl."
-a always,exclude -F msgtype=PROCTITLE
There is another example in the 20-dont-audit.rules file.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
2019-07-24 12:14 ` Steve Grubb
@ 2019-07-25 5:44 ` 杨海
2019-07-25 14:51 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-25 5:44 UTC (permalink / raw)
To: Steve Grubb, linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 999 bytes --]
Thanks Steve. It works :-)
Meanwhile, for read/write system call, if they belongs to same pid and same fd, we are trying to suppress them into one msg. I guess it would not be able to filter using auditctl, is that right?
Regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb@redhat.com>;
Date: Wed, Jul 24, 2019 08:14 PM
To: "linux-audit"<linux-audit@redhat.com>;
Cc: "杨海"<hai.yang@magic-shield.com>;
Subject: Re: How to filter PROCTITLE events
On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
> Hi
>
> I am looking for the method to filter the PROCTITLE events via auditctl.
>
> It is said we can do it, but I could not figure out how.
Did you read about the exclude filter? :-)
> "The proctitle event is emitted during syscall audits, and can be filtered
> with auditctl."
-a always,exclude -F msgtype=PROCTITLE
There is another example in the 20-dont-audit.rules file.
-Steve
[-- Attachment #1.2: Type: text/html, Size: 2063 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
2019-07-25 5:44 ` 杨海
@ 2019-07-25 14:51 ` Steve Grubb
2019-07-30 12:18 ` 杨海
0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2019-07-25 14:51 UTC (permalink / raw)
To: 杨海; +Cc: linux-audit
On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?
Technically you could suppress them. In practice, it's not feasible. You
would need to have application specific rules to suppress. The more rules you
have the more performance you lose.
But I would start by questioning whether you really need to monitor reads and
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed
that the file was written to?
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
2019-07-25 14:51 ` Steve Grubb
@ 2019-07-30 12:18 ` 杨海
2019-07-30 12:29 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-30 12:18 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1342 bytes --]
Hi Steve,
Thanks for the suggestion on read/write. I have two more questions which I haven't figured out.
1) Does auditctl rules support regular expressions? For some params, it is not easy to filter specific messages using “=” or "!=".
2) In message payload, some fields are not what we care about. Any way we can reduce the fields/params in audit log?
Regards
Hai
------------------ Original ------------------
From: "Steve Grubb"<sgrubb@redhat.com>;
Date: Thu, Jul 25, 2019 10:51 PM
To: "杨海"<hai.yang@magic-shield.com>;
Cc: "linux-audit"<linux-audit@redhat.com>;
Subject: Re: How to filter PROCTITLE events
On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?
Technically you could suppress them. In practice, it's not feasible. You
would need to have application specific rules to suppress. The more rules you
have the more performance you lose.
But I would start by questioning whether you really need to monitor reads and
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed
that the file was written to?
-Steve
[-- Attachment #1.2: Type: text/html, Size: 1990 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
2019-07-30 12:18 ` 杨海
@ 2019-07-30 12:29 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2019-07-30 12:29 UTC (permalink / raw)
To: 杨海; +Cc: linux-audit
Hello,
On Tuesday, July 30, 2019 8:18:41 AM EDT 杨海 wrote:
> Thanks for the suggestion on read/write. I have two more questions which I
> haven't figured out.
> 1) Does auditctl rules support regular expressions?
> For some params, it is not easy to filter specific messages using “=” or
> "!=".
No. Most things inside the kernel are numbers. Text is a human convenience.
> 2) In message payload, some fields are not what we care about. Any
> way we can reduce the fields/params in audit log?
By default, no. You could patch auditd to do so if its really necessary.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-30 12:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24 9:27 How to filter PROCTITLE events 杨海
2019-07-24 12:14 ` Steve Grubb
2019-07-25 5:44 ` 杨海
2019-07-25 14:51 ` Steve Grubb
2019-07-30 12:18 ` 杨海
2019-07-30 12:29 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.