Suppress messages from /var/log/audit.log via audit.rules

Thu Sep 29 15:12:43 UTC 2011

Well the CWD messages disappeared, but the remaining messages are still appearing:

type=PATH msg=audit(1317309325.053:226843501): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/x86_64/libc.so.6"
type=SYSCALL msg=audit(1317309325.053:226843502): arch=c000003e syscall=2 success=no exit=-2 a0=7fff4be653d0 a1=0 a2=2b4aab9ca000 a3=6462696c2f343662 items=1 ppid=14038 pid=14040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)
type=PATH msg=audit(1317309325.053:226843502): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/libc.so.6"
type=SYSCALL msg=audit(1317309325.053:226843503): arch=c000003e syscall=2 success=no exit=-2 a0=7fff4be653d0 a1=0 a2=2b4aab9ca000 a3=6462696c2f343662 items=1 ppid=14038 pid=14040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)
type=PATH msg=audit(1317309325.053:226843503): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/x86_64/libc.so.6"
type=SYSCALL msg=audit(1317309325.053:226843504): arch=c000003e syscall=2 success=no exit=-2 a0=7fff4be653d0 a1=0 a2=2b4aab9ca000 a3=6462696c2f343662 items=1 ppid=14038 pid=14040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)

Current rules:

# Exclude all cwd message types
-a exclude,always -F msgtype=CWD

## Suppress all VMware Tools messages
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=4294967294
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=4294967294

-- Michael

________________________________________
From: Vipin Rathor [v.rathor at gmail.com]
Sent: Thursday, September 29, 2011 10:54 AM
To: Worsham, Michael
Cc: linux-audit at redhat.com
Subject: Re: Suppress messages from /var/log/audit.log via audit.rules

>From the little knowledge that I have -
For excluding 'cwd' type messages, try this at the beginning of rule file:
-a exclude,always -F msgtype=CWD

For other messages, try 'exit=4294967294' in rules. Not sure if this
will solve it, but worth a try.

On Thu, Sep 29, 2011 at 8:01 PM, Worsham, Michael <mworsham at scires.com> wrote:
> Does anyone have an idea on how to suppress (exclude) these entries from
> showing up in the audit.log on a RHEL platform? I have tried the following
> to no success:
>
>
>
> type=CWD msg=audit(1316431049.130:131982948):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982948): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/x86_64/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982949): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
> type=CWD msg=audit(1316431049.130:131982949):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982949): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982950): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
> type=CWD msg=audit(1316431049.130:131982950):  cwd="/"
>
> type=PATH msg=audit(1316431049.130:131982950): item=0
> name="/usr/lib/vmware-tools/lib64/libdnet.so.1/x86_64/libc.so.6"
>
> type=SYSCALL msg=audit(1316431049.130:131982951): arch=c000003e syscall=2
> success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662
> items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
>
>
> Packages installed:
>
> redhat-release-5Server-5.7.0.3
> audit-1.7.18-2.el5
> selinux-policy-targeted-2.4.6-316.el5
>
>
>
> Current rules:
>
> ## Suppress all VMware Tools system calls
>
> -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-ENOENT
>
> -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-ENOENT
>
> -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-2
>
> -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools
> -F subj_type=initrc_t -F exit=-2
>
>
>
> ________________________________
> CONFIDENTIALITY NOTICE: This email and any attachments are intended solely
> for the use of the named recipient(s). This email may contain confidential
> and/or proprietary information of Scientific Research Corporation. If you
> are not a named recipient, you are prohibited from reviewing, copying,
> using, disclosing or distributing to others the information in this email
> and attachments. If you believe you have received this email in error,
> please notify the sender immediately and permanently delete the email, any
> attachments, and all copies thereof from any drives or storage media and
> destroy any printouts of the email or attachments.
>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
> technical data subject to U.S export restrictions under the International
> Traffic in Arms Regulations (ITAR) or the Export Administration Regulations
> (EAR). Export or transfer of this technical data and/or related information
> to any foreign person(s) or entity(ies), either within the U.S. or outside
> of the U.S., may require advance export authorization by the appropriate
> U.S. Government agency prior to export or transfer. In addition, technical
> data may not be exported or transferred to certain countries or specified
> designated nationals identified by U.S. embargo controls without prior
> export authorization. By accepting this email and any attachments, all
> recipients confirm that they understand and will comply with all applicable
> ITAR, EAR and embargo compliance requirements.
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

--
-Rathor

CONFIDENTIALITY NOTICE:  This email and any attachments are intended solely for the use of the named recipient(s).  This email may contain confidential and/or proprietary information of Scientific Research Corporation.  If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments.  If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.

EXPORT COMPLIANCE NOTICE:  This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).  Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer.  In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization.  By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.