auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system. One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really.
In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.
Ignoring/Excluding a file/directory from in audit rule
Excluding directories
Easiest way to do is to simply disable path from Logging for example:
# vi /etc/audit/rules.d/audit.rules -a never,exclude -F dir=/path/to/exclude -k exclude_dir
Above will exclude directory /path/to/exclude from being logged by auditd.
Excluding files
To exclude files from auditing:
# vi /etc/audit/rules.d/audit.rules -a never,exclude -F path=/file_to_exclude -k exclude_file
Here,
-a – Append rule to the end of list with action.
never – No audit records will be generated.
exclude – Add a rule to the event type exclusion filter list
-F – Rule field like path, inode number, file name etc.
Other Rules fields used to exclude
You can also disable auditing of files/directories by using various other rules fields like inode number, command/application name like /sbin/rm etc.
# vi /etc/audit/rules.d/audit.rules -a never,exclude -F exe=/usr/bin/java -k exclude_java -a never,exclude -F inode=17910851 -k exclude_inode
exclude all operations from a UID
Add below format to exclude all operations from a uid.
# vi /etc/audit/rules.d/audit.rules -a exit,never -F auid=[UID number]
Disable immutable mode
If the audit system is in immutable mode, no rule changes are allowed. So make sure you also comment in /etc/audit/audit.rules below entry if not already commented.
# vi /etc/audit/audit.rules # Make the configuration immutable -- reboot is required to change audit rules #-e 2
You need to take a reboot of the system post the above changes are done.
# shutdown -r now
In normal cases simply restart auditd service:
# service auditd restart