Excluding stat syscall logging for specific path
Vincas Dargis
vindrg at gmail.com
Fri Apr 29 19:05:34 UTC 2016
2016.04.29 21:48, Steve Grubb rašė:
>> No, there is no such file at all, and shouldn’t be, but apache2 tries to
>> check it, hence success=0 case is spammed into then logs.
>
> Normally ENOENT failures are not a security concern. Normally EACCES and EPERM
> are what attempted security policy violations return with. There is an inode
> in that case.
Yeah, now I am using -S open with EACCES/EPERM as from audit.rules example. Failed stat's ("scans") can actually be seen
from apache2 error.log.
> But it turns out that kernel doesn't matter this time.
Yes, It's clear for me now.
Thank you!
More information about the Linux-audit
mailing list