Excluding few executable from audit.rules in redhat6.5

Steve Grubb sgrubb at redhat.com
Tue Nov 18 15:25:45 UTC 2014 

On Tuesday, November 18, 2014 10:22:55 AM Tilden Doran D wrote:
> Hi
> 
> auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 auditctl -A
> exit,never -F arch=b64 -S chmod -F uid=345
> 
> we  would  require a permanent fix.  If UID=345 is used, I believe that all
> auditing functionality will not work for user ID=345,

Because the events shown are not translated, I can't tell what account 345 is. 
I am assuming by its low number that its a system account. The rule above 
drops all auditing of chmod syscalls for the 345 user account.


> I mean if the userId(345) is logging in manually to the system and does some
> operation that will also be exclude.

Again, I can onlt speculate what that account is. If its a daemon, then it 
should have auid=-1 and the system works fine. Because the auid is 500, that 
tells me that user 500 started it. Because uid!=auid, I assume its either 
setuid or user 500 changed to root and then issued, "service ohasd restart". 
Its one or the other.

If user 500 changed to root and restarted the daemon, then a reboot will fix 
everything and a permanent solution is not needed. Or you can put the rule in 
depending on how often this happens. But if this is for more than one system, 
then I'd use the 345 user's name so that auditctl looks it up in case its 
different on each machine. reserved accounts are generally under 200.


> We want User inventions  logs messages to be
> captured    but exclude the System generated logs.

The rules you gave have this in them:
-F auid>=500 -F auid!=4294967295

This is to exclude daemons because they have auid of -1 (unless restarted by 
hand). 

> To be more detail.
> 
> Ohasd.bin process is started by the user( while starting the database
> process) we want to captured this log. 

The database is not started by the system on boot? Is this a system daemon or 
a user session daemon?

> But after that the ohasd.bin process
> is running in background and it does lot of read write operations, we don't
> want those logs.
> 
> Can you please let us know the way forward.

I am not familiar with that program, so I still need some answers to help you 
figure out the right way to get rid of the events.

-Steve

More information about the Linux-audit mailing list