Hi.  I have a few basic questions.

 

First, we have a particular piece of software that generates a lot of log entries for file deletes (successful & unsuccessful).  I’d like to limit what is actually captured by excluding that directory.

 

I’m thinking that I could add: -F dir!=/var/opt/xxx/xxx

 

Would that prevent logging from anything recursively from that directory and below or do I need to set rules to specifically exclude for each file (which I may do anyways)?  Is there a different/better means for doing this?

 

The second question is events resulting from running ‘ls -al’ as a normal user ‘su -‘ to root.  This is generating a failed syscall error for getxattr with an error code of 61 (no data available).  I’m assuming that this is because no extended attributes were set but, regardless, I’d like to avoid this.

 

I have the following rules that I think may be logging this but I’m not sure:

 

-a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k SYS_attribute

-a entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate

 

Would adding the following prevent these events from being logged or do I need to create a new rule(?): -F exit!=-61

 

Lastly, is there any benefit associated with ordering the rules in audit.rules, i.e., are they applied in the order they are read?

 

Thanks and let me know if need to provide additional information.

 

Aaron


The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.