adding rules

[Pittigher, Raymond - CS]

OK, I can not find any documentation on auditing and/or using auditctl besides the man pages so I need to use this list
server. We run servers that are on a classified network and require auditing so the nisbom rules are loaded in the
servers. This causes huge log files, and I mean 12GB huge, too much to parse information quickly.
The file is full on entries with such things as the Backup Exec program that generates these:

type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2 success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0
a3=1 items=1 ppid=1 pid=19748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="beremote" exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0 key="open"
type=CWD msg=audit(1246316460.238:30532639):  cwd="/"
type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB" inode=17 dev=08:03 mode=060000 ouid=0 ogid=0
rdev=08:08 obj=system_u:object_r:tmp_t:s0

and also crond entries:
type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

and also ntpd entries:
type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124 success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8
a3=9d6d60 items=0 ppid=1 pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38
tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"

I have the ntp stuff under control by removing the 2 lines in the audit.rules file but the other 2 have thousands of
entries per day. How do I not log those in the rules? I notice that they both have selinux sub fields
(subj=system_u:system_r:crond_t) but a rule created with
auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F subj_type=crond_t
or any variation of does nothing. What can I read that would lead me in the right direction?


This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.