Hi Steve, Thanks for the reply. Yes and yes: [root@host1 ~]# mount|grep ab /dev/mapper/VolGroupCF00-abf_graph on /naab2 type ext4 (rw) /dev/mapper/VolGroupCF01-abf_icff on /naab1 type ext4 (rw)
[root@host1 ~]# ll /|grep ab lrwxrwxrwx 1 root root 6 May 9 2011 ab1 -> /naab1 lrwxrwxrwx 1 root root 6 May 9 2011 ab2 -> /naab2 drwxrwx--- 5 root ab_users 4096 May 20 2011 naab1 drwxrwx--- 6 root ab_users 4096 Jun 29 2011 naab2 [root@host1 ~]# How does that affect the the rule, which was for the actual mount point, not the sym link? LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all Cheers, Max -----Original Message----- From: Steve Grubb [mailto:[email protected]] Sent: 13 January 2012 14:46 To: [email protected] Cc: Max Williams Subject: Re: Path ignored but syscall event still logged On Thursday, January 12, 2012 09:45:59 AM Max Williams wrote: > Sorry to bug you but is this issue I'm having a bug or have I made a > mistake in the rules? Is there another way I could exclude this > directory from auditd? Looking back at the original... /naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK- serial/1568280a-4eef7e3f-3873 Are there any mount points in that path? Or any symlinks pointing to other disk devices? Thanks, -Steve ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
