Hi I'm currently implementing system auditing with auditd(8) and was wondering if I can create a custom audit_class(5).
I want to have something like the fm (file attribute modify) class without the open and flock events.
I tried to create a new class with a new bitmap (I used 0x00000009 instead of 0x00000008) and added the events I wanted to audit_event(5) I'm still getting the open/flock events written out.
When I change the bitmap to something like 0x00000015 I get different kinds of events written to the trail.
So what can I do to only get certain events from an audit_class(5).
I want to have something like the fm (file attribute modify) class without the open and flock events.
I tried to create a new class with a new bitmap (I used 0x00000009 instead of 0x00000008) and added the events I wanted to audit_event(5) I'm still getting the open/flock events written out.
When I change the bitmap to something like 0x00000015 I get different kinds of events written to the trail.
So what can I do to only get certain events from an audit_class(5).
Last edited by a moderator: