How to exclude a directory from Linux audit

Using audit to track system changes, with rules from the CIS security guidelines.

This server also has Splunk running on it, this created a crap load of changes that are reflected in the audit log files, so much so that the audit logs are being rotated every few minutes, causing several issues, such as my audit logs only covering a time span of 16mins or so!  It is also  mentioned that whilst the logs are being rotated, and on a busy server, the auditing ceases briefly.

So I thought it would be an easy job to exclude /u00/splunk/var (the source from where audit is generating the logs) by adding an exclude to audit.rules but I have tried several things all with zero success.

I tried:

  •     -W never,exit -F path=/u00/splunk/var
  •     -w never,exit -F path=/u00/splunk/var
  •     -a never,exit -F path=/u00/splunk/var

…followed by /etc/init.d/audit stop and start.

All of which was pointless and a waste of time, as I had forgotten about the immutable option at the bottom of audit.rules

I had to turn off the immutable option by commenting out the (-e 2) at the bottom of audit.rules, then add to the top of the file:

-W never,exclude -F path=/u00/splunk/var -k exclude

…and then rebooted, the reboot is a must if you had the immutable option set.


About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s