From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: more on limiting auditing of file access
Date: Mon, 5 Nov 2007 15:08:04 -0500
Message-ID: <200711051508.05153.sgrubb@redhat.com>
References: <32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
> I have a rule that audits failed access to files:
>
> -a exit,always -S chmod -S lchown -S chown -F success=0
>
> I assume that this is the rule that is causing so many files accessed by
> the web server to be logged. How can change this rule to exclude user
> apache from tripping this rule?

Fields (-F options) are "anded" to decide whether to trigger or not. So, you 
could use:

-a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache

But you could chose to limit by partition or exact error code, too. For 
example, you may not want the failures due to ENOENT (file doesn't exist). In 
that case, it would be:

-a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2

-Steve