more on limiting auditing of file access
Steve Grubb
sgrubb at redhat.com
Mon Nov 5 20:08:04 UTC 2007
On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
> I have a rule that audits failed access to files:
>
> -a exit,always -S chmod -S lchown -S chown -F success=0
>
> I assume that this is the rule that is causing so many files accessed by
> the web server to be logged. How can change this rule to exclude user
> apache from tripping this rule?
Fields (-F options) are "anded" to decide whether to trigger or not. So, you
could use:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache
But you could chose to limit by partition or exact error code, too. For
example, you may not want the failures due to ENOENT (file doesn't exist). In
that case, it would be:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2
-Steve
More information about the Linux-audit
mailing list