CentOS 7 Auditing. Exclude one directory and anything that happens in it.

Support for security such as Firewalls and securing linux
Post Reply
MenaceRx
Posts: 8
Joined: 2016/03/22 16:45:45

CentOS 7 Auditing. Exclude one directory and anything that happens in it.

Post by MenaceRx » 2018/03/20 13:32:57

I need some assistance on turning off auditing for one directory. We have some old software that does all these sudo chmod/chgrp/chown commands against files inside the directory. I want to stop auditing any changes to anything in that one directory done by any user. I have had no success yet turning it off, and as a result it slows down the start up of that application.

Long term plan is to rewrite the code. In the mean time i need to kill it for that directory so I can speed up the programs launch times.

I tried this rule set to ignore it. Any help is appreciated.

-a never,exit -F exe=/usr/bin/chown -F exe=/usr/bin/chgrp -F exe=/usr/bin/chmod -F path=/usr/local/rfapp/* -F perm=x -F uid=0 -F auid=0 -F uid=7202000027 -F auid=7202000027 -F auid>=500 -k perm_mod

aks
Posts: 2526
Joined: 2014/09/20 11:22:14

Re: CentOS 7 Auditing. Exclude one directory and anything that happens in it.

Post by aks » 2018/03/21 19:47:49

I imagine you should be auditing on sudo (rather than the other actions as they are arguments). But I'm no auditing expert.

Post Reply