How to exclude a directory? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

How to exclude a directory?

Draft copy of how to write good...

Can one compile the lastest...

leam hall

Thursday, 4 September 2014 Thu, 4 Sep '14

7:17 a.m.

I'm looking for a way to not audit events in a directory tree. Is there such an option? Thanks! Leam -- Mind on a Mission

Reply

Show replies by date

Steve Grubb

Monday, 8 September Mon, 8 Sep

11:50 a.m.

On Thursday, September 04, 2014 08:17:57 AM leam hall wrote:

I'm looking for a way to not audit events in a directory tree. Is there such an option?

You should be able to put something near the top of your rules to do this. (Audit is a first rule to match wins system.) -a never,exit -F dir=<full path to dir> Note this only works on syscalls that contain a path as an argument. If the syscall triggering the event has an fd that was opened pointing into that directory, you will still get an event because the fd is not traced back to the device/inode each invocation. -Steve

Reply

3764

days inactive

3768

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

leam hall
Steve Grubb