The Geek Diary

How to exclude a file/directory from auditd rules

by

auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system. One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really.

In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Ignoring/Excluding a file/directory from in audit rule

Excluding directories

Easiest way to do is to simply disable path from Logging for example:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F dir=/path/to/exclude -k exclude_dir

Above will exclude directory /path/to/exclude from being logged by auditd.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

Excluding files

To exclude files from auditing:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F path=/file_to_exclude -k exclude_file

Here,
-a – Append rule to the end of list with action.
never – No audit records will be generated.
exclude – Add a rule to the event type exclusion filter list
-F – Rule field like path, inode number, file name etc.

Other Rules fields used to exclude

You can also disable auditing of files/directories by using various other rules fields like inode number, command/application name like /sbin/rm etc.

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F exe=/usr/bin/java -k exclude_java
-a never,exclude -F inode=17910851 -k exclude_inode

exclude all operations from a UID

Add below format to exclude all operations from a uid.

# vi /etc/audit/rules.d/audit.rules
-a exit,never -F auid=[UID number]

Disable immutable mode

If the audit system is in immutable mode, no rule changes are allowed. So make sure you also comment in /etc/audit/audit.rules below entry if not already commented.

# vi /etc/audit/audit.rules
# Make the configuration immutable -- reboot is required to change audit rules
#-e 2

You need to take a reboot of the system post the above changes are done.

# shutdown -r now

In normal cases simply restart auditd service:

# service auditd restart

You May Also Like