How to restrict audit rules to monitor a system call with specific flags?
Issue
- How to monitor new namespace creation with
clone
system call? All records ofclone
is too much. But the cgroup namespace isn't needed to monitor. - How to configure
audit
to monitorclone
system call with specific flags? - How to check some system call flags in
audit
rules?
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- audit
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.