On DATE, the author spaketh: Steve Grubb > On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote: >> I have a rule that audits failed access to files: >> >> -a exit,always -S chmod -S lchown -S chown -F success=0 >> >> I assume that this is the rule that is causing so many files accessed by >> the web server to be logged. How can change this rule to exclude user >> apache from tripping this rule? > > Fields (-F options) are "anded" to decide whether to trigger or not. So, > you > could use: > > -a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache > > But you could chose to limit by partition or exact error code, too. For > example, you may not want the failures due to ENOENT (file doesn't exist). > In > that case, it would be: > > -a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2 > > -Steve >
Thanks, Steve. I'll try these out. And sorry about the off-list post. Don't know why that happens sometimes, and I seem to always forget to check. Bill -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
