How to restrict audit rules to monitor a system call with specific flags?

Solution Unverified - Updated -

Issue

  • How to monitor new namespace creation with clone system call? All records of clone is too much. But the cgroup namespace isn't needed to monitor.
  • How to configure audit to monitor clone system call with specific flags?
  • How to check some system call flags in audit rules?

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • audit

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content