I need some assistance on turning off auditing for one directory. We have some old software that does all these sudo chmod/chgrp/chown commands against files inside the directory. I want to stop auditing any changes to anything in that one directory done by any user. I have had no success yet turning it off, and as a result it slows down the start up of that application.
Long term plan is to rewrite the code. In the mean time i need to kill it for that directory so I can speed up the programs launch times.
I tried this rule set to ignore it. Any help is appreciated.
-a never,exit -F exe=/usr/bin/chown -F exe=/usr/bin/chgrp -F exe=/usr/bin/chmod -F path=/usr/local/rfapp/* -F perm=x -F uid=0 -F auid=0 -F uid=7202000027 -F auid=7202000027 -F auid>=500 -k perm_mod
CentOS 7 Auditing. Exclude one directory and anything that happens in it.
Re: CentOS 7 Auditing. Exclude one directory and anything that happens in it.
I imagine you should be auditing on sudo (rather than the other actions as they are arguments). But I'm no auditing expert.