Excluding events by command
Steve Grubb
sgrubb at redhat.com
Tue Sep 18 17:29:00 UTC 2012
On Tuesday, September 18, 2012 10:12:53 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
> >> I'm trying to exclude cron events from audit logging. I can't see how can
> >> I do to only exclude this kind of entries:
> >>
> >> ----
> >> time->Mon Sep 17 11:00:01 2012
> >> type=PATH msg=audit(1347872401.521:5212): item=0
> >> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
> >> ogid=0 rdev=00:00
> >> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
> >> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
> >> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
> >> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
> >> key=(null)
> >> ----
> >>
> >> I didn't see any option to exclude events by 'exe' or 'comm' field.
> >>
> >> Any hints?
> >
> > There is the possibility to exclude events by SE Linux context. But I
> > don't see a SE Linux context in your event. So, without SE Linux being
> > enabled...there's not much you can do.
> >
> > There was a patch to audit by process name, which might address this
> > problem, but its not accepted yet.
>
> my patch only allows for positive match, not negative matching. I was
> afraid someone saying something like, '-a exit,always -S open -F
> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> caveat emptor sort of thing.
>
> I'll modify that patch and resend it, but it doesn't help the current
> situation.
I was thinking something like
-a exit,never -S open -F exe=/bin/bash
-Steve
More information about the Linux-audit
mailing list