How to exclude a directory?
Steve Grubb
sgrubb at redhat.com
Mon Sep 8 16:50:33 UTC 2014
On Thursday, September 04, 2014 08:17:57 AM leam hall wrote:
> I'm looking for a way to not audit events in a directory tree. Is
> there such an option?
You should be able to put something near the top of your rules to do this.
(Audit is a first rule to match wins system.)
-a never,exit -F dir=<full path to dir>
Note this only works on syscalls that contain a path as an argument. If the
syscall triggering the event has an fd that was opened pointing into that
directory, you will still get an event because the fd is not traced back to
the device/inode each invocation.
-Steve
More information about the Linux-audit
mailing list