Excluding few executable from audit.rules in redhat6.5
LC Bruzenak
lenny at magitekltd.com
Mon Nov 17 16:14:59 UTC 2014
On 11/17/2014 09:30 AM, Steve Grubb wrote:
> Well, what do you really want to do? In general, I'd look at the original
> auditing rule to see if its scope can be narrowed. In this case, it appears
> that you are wanting all calls to chmod. Why? Are you more concerned with
> failed calls to chmod, meaning a user is trying to change system files? Are
> system daemons calling chmod OK? Or do you really want everything? Or do you
> want no events at all for that daemon no matter what the syscall?
>
> The event you are showing is that app successfully making a directory world
> writable/readable. Its setting the sticky bit, so its "safe."
I think this is auditing because the supplied STIG rules specify it.
The "perm_mod" key is the hint. You probably do not want to remove this
rule for all chmod syscalls.
You cannot exclude an executable itself from the rule set by name.
The "exclude" option only applies to event types.
You could exclude it by type, except it is running as a generic
unconfined_t.
Perhaps it can be mitigated by "-F path !=<path>" or something similar.
Check the auditctl man page for options.
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141117/654a8948/attachment.p7s>
More information about the Linux-audit
mailing list