Re: more on limiting auditing of file access
On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
I have a rule that audits failed access to files:
-a exit,always -S chmod -S lchown -S chown -F success=0
I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?
Fields (-F options) are "anded" to decide whether to trigger or not. So, you
could use:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache
But you could chose to limit by partition or exact error code, too. For
example, you may not want the failures due to ENOENT (file doesn't exist). In
that case, it would be:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2
-Steve