From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Excluding stat syscall logging for specific path
Date: Fri, 29 Apr 2016 14:00:51 -0400
Message-ID: <1734746.Y1sbE4bZ3d@x2>
References: <5723A04A.6080208@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5723A04A.6080208@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> Hi,
> 
> When playing/learning with auditd, I wanted to log events when apache fails
> to access file.
> 
> Here's the rules I used in Debian Wheezy (same on Jessie and and current
> latest Testing):
> 
> -a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
> -a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
> 
> /var/www/server-status file is non-existant,

Is it a symlink? If it really doesn't exist, then there is no inode to match 
against.


> it's just alias for accessing
> mod_status information ( http://.../server-status path is accessed by munin
> regularly) so I wanted to minimise noise by that exit,never rule.
> 
> But I can't get it work.

What kernel are you using?

-Steve

> I have more in-depth post in Debian forums [1] if that helps, but in short,
> should this work in general?
> 
> Thanks!
> 
> [1] http://forums.debian.net/viewtopic.php?f=5&t=128092
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit