How do I exclude a directory from audit
Using audit to track system changes, with rules from the CIS security guidelines.
This server also has Splunk running on it, this creates lots of changes that are reflected in the audit log files, so much so that the audit logs are being rotated every few minutes, causing several issue, one being that audit ceasing auditing while log files are being rotated.
I thought it would be an easy job to exclude /u00/splunk/var (the source from where audit is generating the logs) by adding an exclude to audit.rules but I have tried several things all with zero success.
-W never,exit -F path=/u00/splunk/var
-w never,exit -F path=/u00/splunk/var
-a never,exit -F path=/u00/splunk/var
I had to turn off immutable option by commenting out the (-e 2) at the bottom of audit.rules, then added to the top of the file:
-W never,exclude -F path=/u00/splunk/var -k exclude
...and then rebooted, the reboot is must if you had the immutbale option set.
Seems to be working.