Limiting Audit Logs For Specific Directories & Specific Error Codes

Steve Grubb sgrubb at redhat.com
Fri Dec 11 19:40:30 UTC 2009 

On Friday 11 December 2009 01:20:49 pm Wyllie, Aaron wrote:
> Hi.  I have a few basic questions.
> 
> First, we have a particular piece of software that generates a lot of log
>  entries for file deletes (successful & unsuccessful).  I'd like to limit
>  what is actually captured by excluding that directory.
> 
> I'm thinking that I could add: -F dir!=/var/opt/xxx/xxx
> 
> Would that prevent logging from anything recursively from that directory
>  and below or do I need to set rules to specifically exclude for each file
>  (which I may do anyways)?  Is there a different/better means for doing
>  this?

I think you want

-a exit,never -F dir=/var/opt/xxx/xxx


> The second question is events resulting from running 'ls -al' as a normal
>  user 'su -' to root.  This is generating a failed syscall error for
>  getxattr with an error code of 61 (no data available).  I'm assuming that
>  this is because no extended attributes were set but, regardless, I'd like
>  to avoid this.
> 
> I have the following rules that I think may be logging this but I'm not
>  sure:
> 
> -a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
>  removexattr -S lremovexattr -S fremovexattr -k SYS_attribute -a
>  entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S
>  ftruncate
> 
> Would adding the following prevent these events from being logged or do I
>  need to create a new rule(?): -F exit!=-61

Yes, that would do it. Also note that the exit code is not available for rules 
on the entry filter. So, you need to change that, too.

> Lastly, is there any benefit associated with ordering the rules in
>  audit.rules, i.e., are they applied in the order they are read?

They are in the order they are read in per each filter as long as you use the 
'-a' operator. If you use '-A', then that rule goes to the front of the list 
for the stated filter.

The only reason to order them is when you have a specific rule that you would 
like to take priority over rules after it.

-Steve

More information about the Linux-audit mailing list