Excluding files from auditing

Xavier Lashmar xlashmar at uottawa.ca
Tue May 26 19:41:41 UTC 2015 

Hi there,

I've configured audit.rules on a server that I administer, to log all file-system activity matching permissions "wa".  A few files under these directories are to be excluded.  In particular, I am attempting to exclude the logging of actions on files which may not yet exist.  

For example:

A user like "Apache" might try to read and write to a file called "thisfileexists.php" which exists on the FS.  I consider this action perfectly valid and do not require it to be logged; instead I create a rule to exclude it, using the system call matching rule "exit,never -F path=..."

On the other hand, a user like "Apache" might try to write to a file called "thisfilesdoesnotyetexist.php" which does not yet exist, which I also consider to be a perfectly valid action, and require no log of.  This action however, is on a specific file that I know Apache will try to write to, but has not yet been created and may never exist.

An example configuration of /etc/audit/audit.rules

#### EXCLUDE FALSE POSITIVES ####
-a exit,never -F path=/var/www/html/somepath/thisfilesdoesnotexist.php
-a exit,never -F path=/var/www/html/somepath/thisfileexists.php
#### LOG EVERYTHING ELSE ####
-w /var/www/html -p wa -k webserver-writes

Essentially the above rule should log all activity, except for the excluded items:

/var/www/html/somepath/thisfilesdoesnotexist.php
/var/www/html/somepath/thisfileexists.php

However, since "thisfiledoesnotexist.php" does not actually exist, it seems that the audit rule does not apply and if the "Apache" user tries to create it, the action gets logged.  This is not what I want or expected.

The "thisfileexists.php" on the other hand, does exist and the audit rule seem to function and does NOT log write actions.  This is what I want and expected.

>From the above experiment I deduce that an audit rule to exclude from logging a system-call using "exit,never", will not function if the file it refers to does not exist.  Is this correct or did I simply make a mistake?

Thank you for any clarification provided,

Xavier Lashmar
Analyste de Systèmes | Systems Analyst
Service étudiants | Student Web Services
Service de l'informatique et des communications | Computing and Communications Services.
Tél. | Tel. 613-562-5800 (2120)

More information about the Linux-audit mailing list