* Disabling monitoring of a subfolder
@ 2011-11-24 14:46 Marina Gray
2011-11-28 15:48 ` Marcelo Cerri
2011-11-29 16:26 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: Marina Gray @ 2011-11-24 14:46 UTC (permalink / raw)
To: linux-audit
I have a folder which I'd like to monitor with auditd, with the
exception of one specific subdirectory. Is there any way I can disable
monitoring just that subdirectory, but keep monitoring the rest of the
dir recursively as usual?
Say, I first do:
auditctl -w /var/mydata/ -k my-data -p w
and want to exclude looking at /var/mydata/tmp_data/
Thanks!
M G
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Disabling monitoring of a subfolder
2011-11-24 14:46 Disabling monitoring of a subfolder Marina Gray
@ 2011-11-28 15:48 ` Marcelo Cerri
2011-11-29 16:26 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Marcelo Cerri @ 2011-11-28 15:48 UTC (permalink / raw)
To: linux-audit
Hi,
You could use a syscall based form to write the rule.
First exclude the subdirectory that you don't want to watch (using
*never* as action):
auditctl -a exit,never -F dir=/var/mydata/tmp_data -k my-data
And then add a watcher to all the rest:
auditctl -a exit,always -F dir=/var/mydata -F perm=w -k my-data
Regards,
Marcelo
On 11/24/2011 12:46 PM, Marina Gray wrote:
> I have a folder which I'd like to monitor with auditd, with the
> exception of one specific subdirectory. Is there any way I can disable
> monitoring just that subdirectory, but keep monitoring the rest of the
> dir recursively as usual?
>
> Say, I first do:
>
> auditctl -w /var/mydata/ -k my-data -p w
>
> and want to exclude looking at /var/mydata/tmp_data/
>
>
> Thanks!
>
>
> M G
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Disabling monitoring of a subfolder
2011-11-24 14:46 Disabling monitoring of a subfolder Marina Gray
2011-11-28 15:48 ` Marcelo Cerri
@ 2011-11-29 16:26 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2011-11-29 16:26 UTC (permalink / raw)
To: linux-audit; +Cc: Marina Gray
On Thursday, November 24, 2011 09:46:57 AM Marina Gray wrote:
> I have a folder which I'd like to monitor with auditd, with the
> exception of one specific subdirectory. Is there any way I can disable
> monitoring just that subdirectory, but keep monitoring the rest of the
> dir recursively as usual?
>
> Say, I first do:
>
> auditctl -w /var/mydata/ -k my-data -p w
>
> and want to exclude looking at /var/mydata/tmp_data/
The kernel was patched at some point to allow excluding folders, but the excluded
folder has to be before the recursive folder - order matters.
-a never,exit -F dir=/var/mydata/tmp_data/
-a always,exit -F dir=/var/mydata/ -F key=my-data -F perm=w
If this doesn't work, you are probably on an older kernel that can't do it.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-11-29 16:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-24 14:46 Disabling monitoring of a subfolder Marina Gray
2011-11-28 15:48 ` Marcelo Cerri
2011-11-29 16:26 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox