Hi there, I've configured audit.rules on a server that I administer, to log all file-system activity matching permissions "wa". A few files under these directories are to be excluded. In particular, I am attempting to exclude the logging of actions on files which may not yet exist.
For example: A user like "Apache" might try to read and write to a file called "thisfileexists.php" which exists on the FS. I consider this action perfectly valid and do not require it to be logged; instead I create a rule to exclude it, using the system call matching rule "exit,never -F path=..." On the other hand, a user like "Apache" might try to write to a file called "thisfilesdoesnotyetexist.php" which does not yet exist, which I also consider to be a perfectly valid action, and require no log of. This action however, is on a specific file that I know Apache will try to write to, but has not yet been created and may never exist. An example configuration of /etc/audit/audit.rules #### EXCLUDE FALSE POSITIVES #### -a exit,never -F path=/var/www/html/somepath/thisfilesdoesnotexist.php -a exit,never -F path=/var/www/html/somepath/thisfileexists.php #### LOG EVERYTHING ELSE #### -w /var/www/html -p wa -k webserver-writes Essentially the above rule should log all activity, except for the excluded items: /var/www/html/somepath/thisfilesdoesnotexist.php /var/www/html/somepath/thisfileexists.php However, since "thisfiledoesnotexist.php" does not actually exist, it seems that the audit rule does not apply and if the "Apache" user tries to create it, the action gets logged. This is not what I want or expected. The "thisfileexists.php" on the other hand, does exist and the audit rule seem to function and does NOT log write actions. This is what I want and expected. >From the above experiment I deduce that an audit rule to exclude from logging >a system-call using "exit,never", will not function if the file it refers to >does not exist. Is this correct or did I simply make a mistake? Thank you for any clarification provided, Xavier Lashmar Analyste de Systèmes | Systems Analyst Service étudiants | Student Web Services Service de l'informatique et des communications | Computing and Communications Services. Tél. | Tel. 613-562-5800 (2120) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit