How to exclude directories from auditing?

Steve Grubb sgrubb at redhat.com
Fri Oct 25 12:44:04 UTC 2013

Previous message (by thread): How to exclude directories from auditing?
Next message (by thread): SYSCALL and you...err...and me...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday, October 25, 2013 06:28:23 AM Leam Hall wrote:
> I know you can specify certain directories to watch. Is there a way to
> exclude sub-directories?
> 
> Pointers to docs are appreciated; I have a lot to learn!

Something like this should work:
-a never,exit -F dir=/var

Remember first match wins. Exclusions should come before other rules.

-Steve

Previous message (by thread): How to exclude directories from auditing?
Next message (by thread): SYSCALL and you...err...and me...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audit mailing list