How to exclude a file/directory from auditd rules?

In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

 

Ignoring/Excluding a file/directory from in audit rule

 

Excluding directories

 

Easiest way to do is to simply disable path from Logging for example:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F dir=/path/to/exclude -k exclude_dir

 

Above will exclude directory /path/to/exclude from being logged by auditd.

 

Excluding files

 

To exclude files from auditing:

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F path=/file_to_exclude -k exclude_file

 

Here,

-a – Append rule to the end of list with action.

never – No audit records will be generated.

exclude – Add a rule to the event type exclusion filter list

-F – Rule field like path, inode number, file name etc.

 

Other Rules fields used to exclude

 

You can also disable auditing of files/directories by using various other rules fields like inode number, command/application name like /sbin/rm etc.

# vi /etc/audit/rules.d/audit.rules
-a never,exclude -F exe=/usr/bin/java -k exclude_java
-a never,exclude -F inode=17910851 -k exclude_inode

 

exclude all operations from a UID

 

Add below format to exclude all operations from a uid.

# vi /etc/audit/rules.d/audit.rules
-a exit,never -F auid=[UID number]

 

Disable immutable mode

 

If the audit system is in immutable mode, no rule changes are allowed. So make sure you also comment in /etc/audit/audit.rules below entry if not already commented.

 

# vi /etc/audit/audit.rules
# Make the configuration immutable -- reboot is required to change audit rules
#-e 2

 

You need to take a reboot of the system post the above changes are done.

# shutdown -r now

 

In normal cases simply restart auditd service:

# service auditd restart

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)