Why is a CONFIG_CHANGE event generated when the watched file is removed, created, and renamed?

Solution Verified - Updated 2019-10-02T07:15:39+00:00 -

Issue

I have a audit rule to exclude a file from audit event logging.

-a exit,never -F path=/opt/test.tmp

After this rule is applied, the following CONFIG_CHANGE event is recorded always when /opt/test.tmp is created, removed, or renamed.

type=CONFIG_CHANGE msg=audit(XXXXXXXX.XXX:XXX): auid=0 ses=16 op=updated_rules path="/opt/test.tmp" key=(null) list=4 res=1

Also, these events are counted as the event for /opt/test.tmp in the output of aureport -f --summary.
Why is the CONFIG_CHANGE event recorded even if the file is excluded with above audit rule?
How can I exclude the CONFIG_CHANGE events?

Environment

Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2024 Red Hat, Inc.

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)