• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to exclude a file/directory from auditd rules

by admin

auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system. One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really.

In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Ignoring/Excluding a file/directory from in audit rule

Excluding directories

Easiest way to do is to simply disable path from Logging for example:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F dir=/path/to/exclude -k exclude_dir

Above will exclude directory /path/to/exclude from being logged by auditd.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

Excluding files

To exclude files from auditing:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F path=/file_to_exclude -k exclude_file

Here,
-a – Append rule to the end of list with action.
never – No audit records will be generated.
exclude – Add a rule to the event type exclusion filter list
-F – Rule field like path, inode number, file name etc.

Other Rules fields used to exclude

You can also disable auditing of files/directories by using various other rules fields like inode number, command/application name like /sbin/rm etc.

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F exe=/usr/bin/java -k exclude_java
-a never,exclude -F inode=17910851 -k exclude_inode

exclude all operations from a UID

Add below format to exclude all operations from a uid.

# vi /etc/audit/rules.d/audit.rules
-a exit,never -F auid=[UID number]

Disable immutable mode

If the audit system is in immutable mode, no rule changes are allowed. So make sure you also comment in /etc/audit/audit.rules below entry if not already commented.

# vi /etc/audit/audit.rules
# Make the configuration immutable -- reboot is required to change audit rules
#-e 2

You need to take a reboot of the system post the above changes are done.

# shutdown -r now

In normal cases simply restart auditd service:

# service auditd restart

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. Common NFS mount options in Linux
  2. Understanding the /etc/inittab File in Linux
  3. lvscan Command Examples in Linux
  4. How To Configure Separate Override.conf For Multiple MySQL Instances Using Systemd
  5. mkfs.ext4 Command Examples in Linux
  6. CentOS / RHEL 5 : How to use the faillog command to track failed login attempts
  7. Slow SSH login due to unreachable rsyslog server
  8. CentOS / RHEL 7 : How to add a kernel parameter only to a specific kernel
  9. echo Command Examples in Linux
  10. How to generate PGP keys using GPG on Linux

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright