Exclude /usr/libexec/mysqld from audit.rules

Derek Warner derek.warner at riptidesoftware.com
Fri Dec 6 20:34:27 UTC 2013


ALCON,

We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.

Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)

I have tried the following:

-a exit,never -F path=/usr/libexec/mysqld

When using "-F" I noticed in one RHEL forum someone used -F exe=

However in CENTOS exe is not a recognized field when using -F

We do not wish to audit this data, can someone please help me exclude the
audit?

V/R

Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner at riptidesoftware.com

derek.a.warner at us.army.mil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131206/1e465d29/attachment.htm>


More information about the Linux-audit mailing list