Path ignored but syscall event still logged
Max Williams
Max.Williams at betfair.com
Fri Jan 13 16:46:58 UTC 2012
Hi Steve,
Thanks for the reply. Yes and yes:
[root at host1 ~]# mount|grep ab
/dev/mapper/VolGroupCF00-abf_graph on /naab2 type ext4 (rw)
/dev/mapper/VolGroupCF01-abf_icff on /naab1 type ext4 (rw)
[root at host1 ~]# ll /|grep ab
lrwxrwxrwx 1 root root 6 May 9 2011 ab1 -> /naab1
lrwxrwxrwx 1 root root 6 May 9 2011 ab2 -> /naab2
drwxrwx--- 5 root ab_users 4096 May 20 2011 naab1
drwxrwx--- 6 root ab_users 4096 Jun 29 2011 naab2
[root at host1 ~]#
How does that affect the the rule, which was for the actual mount point, not the sym link?
LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all
Cheers,
Max
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: 13 January 2012 14:46
To: linux-audit at redhat.com
Cc: Max Williams
Subject: Re: Path ignored but syscall event still logged
On Thursday, January 12, 2012 09:45:59 AM Max Williams wrote:
> Sorry to bug you but is this issue I'm having a bug or have I made a
> mistake in the rules? Is there another way I could exclude this
> directory from auditd?
Looking back at the original...
/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-
serial/1568280a-4eef7e3f-3873
Are there any mount points in that path? Or any symlinks pointing to other disk devices?
Thanks,
-Steve
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
More information about the Linux-audit
mailing list