Excluding events by command

Peter Moody pmoody at google.com
Tue Sep 18 17:12:53 UTC 2012


On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
>> Hi all,
>>
>> I'm trying to exclude cron events from audit logging. I can't see how can I
>> do to only exclude this kind of entries:
>>
>>
>> ----
>> time->Mon Sep 17 11:00:01 2012
>> type=PATH msg=audit(1347872401.521:5212): item=0
>> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
>> ogid=0 rdev=00:00
>> type=CWD msg=audit(1347872401.521:5212):  cwd="/var/spool"
>> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
>> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
>> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
>> key=(null)
>> ----
>>
>> I didn't see any option to exclude events by 'exe' or 'comm' field.
>>
>> Any hints?
>
> There is the possibility to exclude events by SE Linux context. But I don't
> see a SE Linux context in your event. So, without SE Linux being
> enabled...there's not much you can do.
>
> There was a patch to audit by process name, which might address this problem,
> but its not accepted yet.

my patch only allows for positive match, not negative matching. I was
afraid someone saying something like, '-a exit,always -S open -F
exe!=/bin/bash' but I suppose like any audit rule, it could be a
caveat emptor sort of thing.

I'll modify that patch and resend it, but it doesn't help the current situation.

> But looking at the event, I'm not sure about the usefulness of logging
> successful opens in the pam config directory. You might be able to better tune
> your rules. Opening for write or opens that fail might be more interesting.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



--
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038




More information about the Linux-audit mailing list