FW: Exclusion of Linux "top" command in Audit Rules

Keith Kaple kak at cisco.com
Mon Sep 8 14:53:36 UTC 2008 

Strategies I would try are:

1) have the script add a rule via auditctl that excludes the correct pid or parent pid from logging.

2) create a special user for this task and exlude their uid in the rule.

3) copy /usr/bin/top to /usr/bin/topAsUserMonitor and set it to run setuid to some user 'monitor' (who is locked down with a default shell of /bin/nologin and then use strategy 2 excluding uid monitor) then call topAsUserMonitor instead of regular top from your script.

So your rule would look something like this:

-a exit,always -S open -F exit=-13 -F ppid!=<pid of script>

- or -

-a exit,always -S open -F exit=-13 -F uid!=monitor


hth,

Keith



On Mon, Sep 08, 2008 at 09:10:34AM -0400, Sincox, Anthony P wrote:
> I'm still looking for suggestions. 
> 
> Thanks,
> 
> Tony
> 
>  
> -----Original Message-----
> From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] On Behalf Of Sincox, Anthony P
> Sent: Tuesday, August 26, 2008 12:27 PM
> To: linux-audit at redhat.com
> Subject: Exclusion of Linux "top" command in Audit Rules
> 
> Looking for some assistance.
> 
> I am trying to keep from logging activity of a Linux command we keep running in the foreground to monitor the progress of a scripting task. We monitor the progress of this task using the Linux "top" command.
> 
> I'm trying to figure out how to use the "exclude" filter in the audit rules to exclude logging of this "top" command. I am running on the Fedora 7 O/S. I am also utilizing the nispom.rules for the audit daemon.
> 
> The logging I'm receiving is similar to this:
> 
> type=SYSCALL msg=audit(1219770680.762:206): arch=40000003 syscall=5 success=no exit=-13 a0=92df4b a1=8002 a2=bf82f338 a3=92df51 items=1 ppid=8076 pid=8208 auid=500 uid=500 gid=510 euid=500 suid=500 fsuid=500 egid=510 sgid=510 fsgid=510 tty=pts2 comm="top" exe="/usr/bin/top" key="open"
> type=CWD msg=audit(1219770680.762:206):  cwd="/usr/local/people/tony"
> type=PATH msg=audit(1219770680.762:206): item=0 name="/var/run/utmp" inode=2074631 dev=08:02 mode=0100664 ouid=0 ogid=22 rdev=00:00
> 
> This is the type of logging I'm trying to exclude. Any ideas would be helpful.
> 
> Thanks,
> 
> Tony Sincox
> 
>  
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
    |       |
. | | | . | | | .
    '       ' 
    C I S C O
    GGSG VoIP

More information about the Linux-audit mailing list