Excluding the single executable on the top of audit.rules

Исаев Виталий Анатольевич isaev at fintech.ru
Tue Aug 19 11:07:18 UTC 2014 

Hello all,

I would like to ask for an explanation about making my audit.rules proper. What am I trying to do is to exclude all the syscall events coming from exe="/usr/bin/pulseaudio" and its components. At the moment about 95% of audit log is filled with messages related to pulseaudio:

# aureport -x -if my.log --summary
Executable Summary Report
=================================
total  file
=================================
1156923  /usr/bin/pulseaudio
191719  /usr/libexec/pulse/gconf-helper
49282  /usr/bin/gnome-volume-control-applet
8035  /usr/libexec/gnome-settings-daemon
1045  /usr/sbin/crond
265  /usr/bin/nautilus
23  /usr/sbin/sshd

Please look through the current version of audit.rules. How should I modify them?

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
#-a exit,never -F exe=/usr/bin/pulseaudio -S open
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S open
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S execve
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fork
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S vfork
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S exit
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S exit_group
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S getdents
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S chmod
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmod
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmodat
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S chown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S lchown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchownat
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlink
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlinkat

P.S. We're using RHEL 6.4 with audit-2.2-2.el6.x86_64.

Sincerely,
Vitaly Isaev
Software engineer
Information security department
Fintech JSC, Moscow, Russia

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140819/df73a63d/attachment.htm>

More information about the Linux-audit mailing list