[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Path ignored but syscall event still logged



Hi Steve,
Thanks for the reply. Yes and yes:

[root host1 ~]# mount|grep ab
/dev/mapper/VolGroupCF00-abf_graph on /naab2 type ext4 (rw)
/dev/mapper/VolGroupCF01-abf_icff on /naab1 type ext4 (rw)

[root host1 ~]# ll /|grep ab
lrwxrwxrwx    1 root root               6 May  9  2011 ab1 -> /naab1
lrwxrwxrwx    1 root root               6 May  9  2011 ab2 -> /naab2
drwxrwx---    5 root ab_users  4096 May 20  2011 naab1
drwxrwx---    6 root ab_users  4096 Jun 29  2011 naab2
[root host1 ~]#

How does that affect the the rule, which was for the actual mount point, not the sym link?
LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all

Cheers,
Max

-----Original Message-----
From: Steve Grubb [mailto:sgrubb redhat com] 
Sent: 13 January 2012 14:46
To: linux-audit redhat com
Cc: Max Williams
Subject: Re: Path ignored but syscall event still logged

On Thursday, January 12, 2012 09:45:59 AM Max Williams wrote:
> Sorry to bug you but is this issue I'm having a bug or have I made a 
> mistake in the rules? Is there another way I could exclude this 
> directory from auditd?

Looking back at the original...

/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-
serial/1568280a-4eef7e3f-3873

Are there any mount points in that path? Or any symlinks pointing to other disk devices?

Thanks,
-Steve

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]