[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

File Monitoring



I am monitoring open syscalls on /etc/shadow and am receiving alerts that I would like to suppress. Is it possible to exclude alerts for files opened with particular commands? For example, xlock opening the shadow file? I didn't see an option like this in the auditctl man page, but I know those pages may be outdated.

Thanks,
Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]