From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Bill Tangren" <bjt@usno.navy.mil>
Subject: Re: more on limiting auditing of file access
Date: Mon, 5 Nov 2007 15:32:13 -0500 (EST)
Message-ID: <33080.10.1.5.58.1194294733.squirrel@aa.usno.navy.mil>
References: <32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil>
	<200711051508.05153.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lA5KWKgc005548
	for <linux-audit@redhat.com>; Mon, 5 Nov 2007 15:32:20 -0500
Received: from aa.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lA5KWJxC027272
	for <linux-audit@redhat.com>; Mon, 5 Nov 2007 15:32:19 -0500
In-Reply-To: <200711051508.05153.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On DATE, the author spaketh: Steve Grubb
> On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
>> I have a rule that audits failed access to files:
>>
>> -a exit,always -S chmod -S lchown -S chown -F success=3D0
>>
>> I assume that this is the rule that is causing so many files accessed =
by
>> the web server to be logged. How can change this rule to exclude user
>> apache from tripping this rule?
>
> Fields (-F options) are "anded" to decide whether to trigger or not. So=
,
> you
> could use:
>
> -a exit,always -S chmod -S lchown -S chown -F success=3D0 -F uid!=3Dapa=
che
>
> But you could chose to limit by partition or exact error code, too. For
> example, you may not want the failures due to ENOENT (file doesn't exis=
t).
> In
> that case, it would be:
>
> -a exit,always -S chmod -S lchown -S chown -F success=3D0 -F exit!=3D-2
>
> -Steve
>

Thanks, Steve. I'll try these out.

And sorry about the off-list post. Don't know why that happens sometimes,
and I seem to always forget to check.

Bill

--=20
Bill Tangren
U.S. Naval Observatory