We have a need to monitor voicemail directories for any sort of access. Basically there is only one application that should be accessing the files. If anything else accesses the files we need to log that.
We setup the following to accomplish this but it's doesn't quite do what we want.
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F auid!=voicemail_user -F key=voicemail_watch
voicemail_user is the user that initially starts the process. The problem arises when someone logged in under a different account restarts the process. From that point forward every time the application accesses that directory it results in a log message.
We need other users to be able to be able to log in and restart the process so our method here really doesn't work. Is there a way to log only if a different application access the directory rather than basing the audit on user?
I was hoping to us something like -F exe!="/path/to/application" but it looks like this is not supported.
Thank You,