Excluding stat syscall logging for specific path
Vincas Dargis
vindrg at gmail.com
Fri Apr 29 18:16:17 UTC 2016
2016.04.29 21:00, Steve Grubb rašė:
> On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
>> Hi,
>>
>> When playing/learning with auditd, I wanted to log events when apache fails
>> to access file.
>>
>> Here's the rules I used in Debian Wheezy (same on Jessie and and current
>> latest Testing):
>>
>> -a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
>> -a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
>>
>> /var/www/server-status file is non-existant,
>
> Is it a symlink? If it really doesn't exist, then there is no inode to match
> against.
Oh...
No, there is no such file at all, and shouldn’t be, but apache2 tries to check it, hence success=0 case is spammed into
then logs. Same with .htaccess files that apache2 tries to find in every directory...
I though it is possible to exclude stat calls with that path as argument to the syscall, but if it actually needs
physical inode... then I guess it makes sense why it does not work for me.
I wanted to _ignore_ some known stat/open failures for non-existant files, to recap.
> What kernel are you using?
3.2 and 3.16 for sure, and I believe I tested on Debian Testing so it should be 4.5 currently.
P.S. should I reply to all or just the list?
Thanks.
More information about the Linux-audit
mailing list