From 0a7589c4710c81a15f21f754dd803cf3ba58fd31 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Wed, 21 Feb 2024 06:41:14 +0100
Subject: [PATCH] Update audit.rules High Volume Event Filter (especially on
 Linux Workstations)

only same structure with -F key= instead of -k
---
 audit.rules | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/audit.rules b/audit.rules
index 41b7e22..729852e 100644
--- a/audit.rules
+++ b/audit.rules
@@ -94,8 +94,11 @@
 -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd
 
 ## High Volume Event Filter (especially on Linux Workstations)
--a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
--a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
+-a never,exit -F arch=b32 -F dir=/dev/shm/ -F key=sharedmemaccess
+-a never,exit -F arch=b64 -F dir=/dev/shm/ -F key=sharedmemaccess
+
+-a never,exit -F arch=b32 -F dir=/var/lock/lvm/ -F key=locklvm
+-a never,exit -F arch=b64 -F dir=/var/lock/lvm/ -F key=locklvm
 
 ## FileBeat
 -a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat