* How to exclude a directory?
@ 2014-09-04 12:17 leam hall
2014-09-08 16:50 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: leam hall @ 2014-09-04 12:17 UTC (permalink / raw)
To: linux-audit
I'm looking for a way to not audit events in a directory tree. Is
there such an option?
Thanks!
Leam
--
Mind on a Mission
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to exclude a directory?
2014-09-04 12:17 How to exclude a directory? leam hall
@ 2014-09-08 16:50 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2014-09-08 16:50 UTC (permalink / raw)
To: linux-audit
On Thursday, September 04, 2014 08:17:57 AM leam hall wrote:
> I'm looking for a way to not audit events in a directory tree. Is
> there such an option?
You should be able to put something near the top of your rules to do this.
(Audit is a first rule to match wins system.)
-a never,exit -F dir=<full path to dir>
Note this only works on syscalls that contain a path as an argument. If the
syscall triggering the event has an fd that was opened pointing into that
directory, you will still get an event because the fd is not traced back to
the device/inode each invocation.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-09-08 16:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-04 12:17 How to exclude a directory? leam hall
2014-09-08 16:50 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox