I have a problem with auditd rules. I'd like to audit /opt/zimbra/mailboxd/webapps/ dir but without: zimbraAdmin/WEB-INF/,zimlet/WEB-INF/ and zimbra/WEB-INF/ subfolders.
cat /etc/audit/audit.rules:
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF/ -k ex_1
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimlet/WEB-INF/ -k ex_2
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/ -k ex_3
-w /opt/zimbra/mailboxd/webapps/ -p w -k zimbra_jsp
The above doesn't work. auditctl -l shows "no rules". When I try to run that rules separately (from console), excluding rules exits with error:
auditctl -a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF/ -k ex_1
Only msgtype, *uid, *gid, pid, and subj* fields can be used with exclude filter
Why?
