Good day!
Is it possible to disable TailWatchd to tracking for a specific service like TaniumRecorder?
We use auditd service and for the measures TaniumRecorder. So I don't have access to config TaniumRecorder.
But after install Tanium there are many messages in the audit.log:
node=hostname type=SYSCALL msg=audit(1656586627.523:1012855268): arch=c000003e syscall=49 success=no exit=-99 a0=11b a1=2a76720 a2=10 a3=1 items=0 ppid=1 pid=1751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tailwatchd" exe="/usr/local/cpanel/libexec/tailwatch/tailwatchd" key="TaniumRecorder"
node=hostname type=SOCKADDR msg=audit(1656586627.523:1012855268): saddr=0200000031B91AAE0000000000000000
node=hostname type=PROCTITLE msg=audit(1656586627.523:1012855268): proctitle="tailwatchd"
Or better to disbale tailwatchd dir for auditd?
TY!
Is it possible to disable TailWatchd to tracking for a specific service like TaniumRecorder?
We use auditd service and for the measures TaniumRecorder. So I don't have access to config TaniumRecorder.
But after install Tanium there are many messages in the audit.log:
node=hostname type=SYSCALL msg=audit(1656586627.523:1012855268): arch=c000003e syscall=49 success=no exit=-99 a0=11b a1=2a76720 a2=10 a3=1 items=0 ppid=1 pid=1751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tailwatchd" exe="/usr/local/cpanel/libexec/tailwatch/tailwatchd" key="TaniumRecorder"
node=hostname type=SOCKADDR msg=audit(1656586627.523:1012855268): saddr=0200000031B91AAE0000000000000000
node=hostname type=PROCTITLE msg=audit(1656586627.523:1012855268): proctitle="tailwatchd"
Or better to disbale tailwatchd dir for auditd?
TY!
Last edited by a moderator: