more on limiting auditing of file access
Bill Tangren
bjt at usno.navy.mil
Mon Nov 5 20:32:13 UTC 2007
On DATE, the author spaketh: Steve Grubb
> On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
>> I have a rule that audits failed access to files:
>>
>> -a exit,always -S chmod -S lchown -S chown -F success=0
>>
>> I assume that this is the rule that is causing so many files accessed by
>> the web server to be logged. How can change this rule to exclude user
>> apache from tripping this rule?
>
> Fields (-F options) are "anded" to decide whether to trigger or not. So,
> you
> could use:
>
> -a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache
>
> But you could chose to limit by partition or exact error code, too. For
> example, you may not want the failures due to ENOENT (file doesn't exist).
> In
> that case, it would be:
>
> -a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2
>
> -Steve
>
Thanks, Steve. I'll try these out.
And sorry about the off-list post. Don't know why that happens sometimes,
and I seem to always forget to check.
Bill
--
Bill Tangren
U.S. Naval Observatory
More information about the Linux-audit
mailing list