On Friday 11 December 2009 01:20:49 pm Wyllie, Aaron wrote: > Hi. I have a few basic questions. > > First, we have a particular piece of software that generates a lot of log > entries for file deletes (successful & unsuccessful). I'd like to limit > what is actually captured by excluding that directory. > > I'm thinking that I could add: -F dir!=/var/opt/xxx/xxx > > Would that prevent logging from anything recursively from that directory > and below or do I need to set rules to specifically exclude for each file > (which I may do anyways)? Is there a different/better means for doing > this?
I think you want -a exit,never -F dir=/var/opt/xxx/xxx > The second question is events resulting from running 'ls -al' as a normal > user 'su -' to root. This is generating a failed syscall error for > getxattr with an error code of 61 (no data available). I'm assuming that > this is because no extended attributes were set but, regardless, I'd like > to avoid this. > > I have the following rules that I think may be logging this but I'm not > sure: > > -a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -k SYS_attribute -a > entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S > ftruncate > > Would adding the following prevent these events from being logged or do I > need to create a new rule(?): -F exit!=-61 Yes, that would do it. Also note that the exit code is not available for rules on the entry filter. So, you need to change that, too. > Lastly, is there any benefit associated with ordering the rules in > audit.rules, i.e., are they applied in the order they are read? They are in the order they are read in per each filter as long as you use the '-a' operator. If you use '-A', then that rule goes to the front of the list for the stated filter. The only reason to order them is when you have a specific rule that you would like to take priority over rules after it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
