Do not record auditd events for crond attemps
Call, Tom H
tom.h.call at lmco.com
Tue Mar 3 16:16:12 UTC 2009
Steve, et.al.
Here is a representative sample of audit.log entries recorded whenever
cron periodically (every minute) queries for cron entries that need
execution.
"
type=USER_ACCT msg=audit(1236084901.871:2382): user pid=20156 uid=0
auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=LOGIN msg=audit(1236084901.871:2383): login pid=20156 uid=0 old
auid=4294967295 new auid=0
type=USER_START msg=audit(1236084901.871:2384): user pid=20156 uid=0
auid=0 msg='PAM session open: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=CRED_ACQ msg=audit(1236084901.871:2385): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=CRED_DISP msg=audit(1236084902.141:2386): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1236084902.141:2387): user pid=20156 uid=0
auid=0 msg='PAM session close: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
"
These events typically comprise at least 80% of all the audit.log
entries although they are repetitive thoughout the log and do not
indicate any user attempt to compromise the system.
Is there any relatively straight forward way that I can configure
Auditd to not record events for crond routinely running as root?
I am using audit-1.0.16-3.el4 on CentOS-4.7
Thanks!
Tom Call, LMCO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090303/ad9362ab/attachment.htm>
More information about the Linux-audit
mailing list