• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to exclude a file/directory from auditd rules

by admin

auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system. One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really.

In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Ignoring/Excluding a file/directory from in audit rule

Excluding directories

Easiest way to do is to simply disable path from Logging for example:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F dir=/path/to/exclude -k exclude_dir

Above will exclude directory /path/to/exclude from being logged by auditd.

On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

Excluding files

To exclude files from auditing:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F path=/file_to_exclude -k exclude_file

Here,
-a – Append rule to the end of list with action.
never – No audit records will be generated.
exclude – Add a rule to the event type exclusion filter list
-F – Rule field like path, inode number, file name etc.

Other Rules fields used to exclude

You can also disable auditing of files/directories by using various other rules fields like inode number, command/application name like /sbin/rm etc.

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F exe=/usr/bin/java -k exclude_java
-a never,exclude -F inode=17910851 -k exclude_inode

exclude all operations from a UID

Add below format to exclude all operations from a uid.

# vi /etc/audit/rules.d/audit.rules
-a exit,never -F auid=[UID number]

Disable immutable mode

If the audit system is in immutable mode, no rule changes are allowed. So make sure you also comment in /etc/audit/audit.rules below entry if not already commented.

# vi /etc/audit/audit.rules
# Make the configuration immutable -- reboot is required to change audit rules
#-e 2

You need to take a reboot of the system post the above changes are done.

# shutdown -r now

In normal cases simply restart auditd service:

# service auditd restart

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. kwrite: command not found
  2. xrpd: command not found
  3. pngcrush for image optimization
  4. eyeD3 Command Examples in Linux
  5. conntrack Command Examples in Linux
  6. CentOS / RHEL 6 : How to add/remove additional IP addresses to a network interface
  7. How to Use iptables instead of firewalld on CentOS/RHEL 7 and 8
  8. uvcdynctrl Command Examples in Linux
  9. How to enable or disable service on boot with chkconfig
  10. Secure Shell: Chrome Web Browser ssh client

You May Also Like

Primary Sidebar

Recent Posts

  • base64 Command Examples (Encode or decode file or standard input to/from Base64, to standard output)
  • base32 Command Examples (Encode or decode file or standard input to/from Base32, to standard output)
  • banner Command Examples (Print the given argument as a large ASCII art)
  • bandwhich Command Examples (Display the current network utilization by process, connection or remote IP/hostname)

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright