Update audit.rules High Volume Event Filter (especially on Linux Work…

…stations) only same structure with -F key= instead of -k
Neo23x0 · Feb 21, 2024 · 0a7589c · 0a7589c
1 parent 36a7c52
commit 0a7589c
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/audit.rules b/audit.rules
@@ -94,8 +94,11 @@
 -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd
 
 ## High Volume Event Filter (especially on Linux Workstations)
--a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
--a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
+-a never,exit -F arch=b32 -F dir=/dev/shm/ -F key=sharedmemaccess
+-a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess
+
+-a never,exit -F arch=b32 -F dir=/var/lock/lvm/ -F key=locklvm
+-a never,exit -F arch=b64 -F dir=/var/lock/lvm/ -F key=locklvm
 
 ## FileBeat
 -a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat