Limiting Audit Logs For Specific Directories & Specific Error Codes
Steve Grubb
sgrubb at redhat.com
Fri Dec 11 19:40:30 UTC 2009
On Friday 11 December 2009 01:20:49 pm Wyllie, Aaron wrote:
> Hi. I have a few basic questions.
>
> First, we have a particular piece of software that generates a lot of log
> entries for file deletes (successful & unsuccessful). I'd like to limit
> what is actually captured by excluding that directory.
>
> I'm thinking that I could add: -F dir!=/var/opt/xxx/xxx
>
> Would that prevent logging from anything recursively from that directory
> and below or do I need to set rules to specifically exclude for each file
> (which I may do anyways)? Is there a different/better means for doing
> this?
I think you want
-a exit,never -F dir=/var/opt/xxx/xxx
> The second question is events resulting from running 'ls -al' as a normal
> user 'su -' to root. This is generating a failed syscall error for
> getxattr with an error code of 61 (no data available). I'm assuming that
> this is because no extended attributes were set but, regardless, I'd like
> to avoid this.
>
> I have the following rules that I think may be logging this but I'm not
> sure:
>
> -a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -k SYS_attribute -a
> entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate
>
> Would adding the following prevent these events from being logged or do I
> need to create a new rule(?): -F exit!=-61
Yes, that would do it. Also note that the exit code is not available for rules
on the entry filter. So, you need to change that, too.
> Lastly, is there any benefit associated with ordering the rules in
> audit.rules, i.e., are they applied in the order they are read?
They are in the order they are read in per each filter as long as you use the
'-a' operator. If you use '-A', then that rule goes to the front of the list
for the stated filter.
The only reason to order them is when you have a specific rule that you would
like to take priority over rules after it.
-Steve
More information about the Linux-audit
mailing list