auditd: auditing syscall with flags
Issue
The objective is to audit a syscall but with a filter on an argument used by the application.
-
For example: the need is to create a rule that will monitor all usage of "chattr -i" on any file/directory.
-
The issue is that the rule used:
-a always,exit -F arch=b64 -S ioctl -F a1=0x40086602 -F key=chattr
is showing all usage of chattr
but not only the chattr -i
as we would like.
Environment
- RHEL
- auditd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.