Why is a CONFIG_CHANGE event generated when the watched file is removed, created, and renamed?
Issue
- I have a
audit
rule to exclude a file from audit event logging.
-a exit,never -F path=/opt/test.tmp
- After this rule is applied, the following
CONFIG_CHANGE
event is recorded always when/opt/test.tmp
is created, removed, or renamed.
type=CONFIG_CHANGE msg=audit(XXXXXXXX.XXX:XXX): auid=0 ses=16 op=updated_rules path="/opt/test.tmp" key=(null) list=4 res=1
- Also, these events are counted as the event for
/opt/test.tmp
in the output ofaureport -f --summary
. - Why is the
CONFIG_CHANGE
event recorded even if the file is excluded with aboveaudit
rule? - How can I exclude the
CONFIG_CHANGE
events?
Environment
Red Hat Enterprise Linux 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.