Suppress messages from /var/log/audit.log via audit.rules

Vipin Rathor v.rathor at gmail.com
Thu Sep 29 14:54:23 UTC 2011 

>From the little knowledge that I have -
For excluding 'cwd' type messages, try this at the beginning of rule file:
-a exclude,always -F msgtype=CWD

For other messages, try 'exit=4294967294' in rules. Not sure if this
will solve it, but worth a try.

On Thu, Sep 29, 2011 at 8:01 PM, Worsham, Michael <mworsham at scires.com> wrote:
> Does anyone have an idea on how to suppress (exclude) these entries from
> showing up in the audit.log on a RHEL platform? I have tried the following
> to no success:
>
>
>
> type=CWD msg=audit(1316431049.130:131982948):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982948): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/x86_64/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982949): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
> type=CWD msg=audit(1316431049.130:131982949):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982949): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982950): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
> type=CWD msg=audit(1316431049.130:131982950):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982950): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/x86_64/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982951): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
>
>
> Packages installed:
>
> redhat-release-5Server-5.7.0.3
> audit-1.7.18-2.el5
> selinux-policy-targeted-2.4.6-316.el5
>
>
>
> Current rules:
>
> ## Suppress all VMware Tools system calls
>
> -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-ENOENT
>
> -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-ENOENT
>
> -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-2
>
> -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-2
>
>
>
> ________________________________
> CONFIDENTIALITY NOTICE: This email and any attachments are intended solely
> for the use of the named recipient(s). This email may contain confidential
> and/or proprietary information of Scientific Research Corporation. If you
> are not a named recipient, you are prohibited from reviewing, copying,
> using, disclosing or distributing to others the information in this email
> and attachments. If you believe you have received this email in error,
> please notify the sender immediately and permanently delete the email, any
> attachments, and all copies thereof from any drives or storage media and
> destroy any printouts of the email or attachments.
>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
> technical data subject to U.S export restrictions under the International
> Traffic in Arms Regulations (ITAR) or the Export Administration Regulations
> (EAR). Export or transfer of this technical data and/or related information
> to any foreign person(s) or entity(ies), either within the U.S. or outside
> of the U.S., may require advance export authorization by the appropriate
> U.S. Government agency prior to export or transfer. In addition, technical
> data may not be exported or transferred to certain countries or specified
> designated nationals identified by U.S. embargo controls without prior
> export authorization. By accepting this email and any attachments, all
> recipients confirm that they understand and will comply with all applicable
> ITAR, EAR and embargo compliance requirements.
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>



-- 
-Rathor

More information about the Linux-audit mailing list