Re: Excluding stat syscall logging for specific path
On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
Hi,
When playing/learning with auditd, I wanted to log events when apache fails
to access file.
Here's the rules I used in Debian Wheezy (same on Jessie and and current
latest Testing):
-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
/var/www/server-status file is non-existant,
Is it a symlink? If it really doesn't exist, then there is no inode to match
against.
it's just alias for accessing
mod_status information ( http://.../server-status path is accessed by munin
regularly) so I wanted to minimise noise by that exit,never rule.
But I can't get it work.
What kernel are you using?
-Steve
I have more in-depth post in Debian forums [1] if that helps, but in
short,
should this work in general?
Thanks!
[1] http://forums.debian.net/viewtopic.php?f=5&t=128092
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit