Hello,

I want to add some new rules to the auditing system of Linux at file
filter.conf

for example, if I want to log the accesses to the squid log files thru
the following rule:


predicate is-squid-log = prefix(/var/log/squid)

tag "SQUID_logs"

syscall @file-ops = is-squid-log(arg0);


and reload service audit and test it reading one file at /var/log/squid
directory the audit system no log this access.

Is ok this rule?

Thank you in advance.

Other system config:

service
-------
audit 0:desactivado 1:desactivado 2:activo 3:activo
4:activo 5:activo 6:desactivado

sysctl
------
dev.audit.debug = 0
dev.audit.paranoia = 0
dev.audit.max-messages = 1024
dev.audit.allow-suspend = 1
dev.audit.attach-all = 1