How to exclude specific users or groups when using auditd to watch files

Resolution

See also: How to exclude specific users, groups, or services when using auditd to audit syscalls

• The following audit rule essentially audits all writes & attribute-changes to /opt/application and everything beneath it

  -w /opt/application -p wa
  

• If the goal is to ignore changes made to this directory by a particular user or group, the simple rule will first need to be converted to the more expressive format, e.g.:

  -a always,exit -F dir=/opt/application -F perm=wa
  

• In this more expressive format, conditions can now be added, e.g.:

  • -F uid!=USER
    (Where USER is some user or user ID)
    Adding this to the above rule would effectively "whitelist" USER, preventing their actions from triggering the rule

  • -F uid>=1000
    Adding this to the above rule would effectively "whitelist" all actions by system users

  • -F success=1
    Adding this to the above rule would prevent logging of unsuccessful write attempts

  • Note that there are many more rule field names to allow more specificity with users and groups, e.g., auid, egid, euid, fsgid, fsuid, gid
    (See the auditctl(8) man page for more details)

Final example

• Consider the following:

  -a always,exit -F dir=/opt/application -F perm=w -F uid!=bob -F uid!=alice -F auid!=root -F uid>=1000 -F gid!=admins -F success=1
  

• The above example rule will effectively audit all successful writes to /opt/application, except those executed by processes which are:

  • owned by the user "bob"
  • owned by the user "alice"
  • owned by a user who originally logged in as root
  • owned by a user with a UID less than 1000
  • owned by a process where the primary group is "admins"