Excluding stat syscall logging for specific path
Steve Grubb
sgrubb at redhat.com
Fri Apr 29 18:00:51 UTC 2016
On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> Hi,
>
> When playing/learning with auditd, I wanted to log events when apache fails
> to access file.
>
> Here's the rules I used in Debian Wheezy (same on Jessie and and current
> latest Testing):
>
> -a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
> -a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
>
> /var/www/server-status file is non-existant,
Is it a symlink? If it really doesn't exist, then there is no inode to match
against.
> it's just alias for accessing
> mod_status information ( http://.../server-status path is accessed by munin
> regularly) so I wanted to minimise noise by that exit,never rule.
>
> But I can't get it work.
What kernel are you using?
-Steve
> I have more in-depth post in Debian forums [1] if that helps, but in short,
> should this work in general?
>
> Thanks!
>
> [1] http://forums.debian.net/viewtopic.php?f=5&t=128092
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list