Audit Rules Exclusions
Hey guys, trying to find out how to correctly exclude/ not collect audit events for a specific path to a .sh script but struggling to get it to work. My audit.rules file contains the following:
-a never,exit -F arch=b64 -S execve -F dir=/usr/bin/local/<name of file>.sh
But it is still being logged and forwarded to a SIEM. Is there an issue with excluding .sh?