Excluding few executable from audit.rules in redhat6.5

Wed Nov 19 05:38:24 UTC 2014

Hi Steve,

Yes, you are correct. We login as User 500 and switch user to oracle  and issue the command.

The User 345 is oracle user. Which is used for oracle related activities in the system.

The command which we issue is srvctl stop/start database. We always install oracle and start manually for the first time.

As you mentioned, on reboot the system, it not generating too many logs. But the problem is,  we cannot reboot the system every time, which only requires DB restart.  Because application also be hosted in the same system.

The Srvctl command internally starts the ohasd.bin.

So can we avoid it, I mean do we have an option to exclude the ohasd.bin by using something like "-F exe!=ohasd.bin " or "-F path!= ...." . I tried both, it is not working.

Because "-F UID!=345" will  restrict all the logs.  Can we restrict the log which is generated by that particular process/application.  ?

Thanks

Tilden

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Tuesday, November 18, 2014 8:56 PM
To: Tilden Doran D
Cc: linux-audit at redhat.com
Subject: Re: Excluding few executable from audit.rules in redhat6.5

On Tuesday, November 18, 2014 10:22:55 AM Tilden Doran D wrote:

> Hi

>

> auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 auditctl -A

> exit,never -F arch=b64 -S chmod -F uid=345

>

> we  would  require a permanent fix.  If UID=345 is used, I believe

> that all auditing functionality will not work for user ID=345,

Because the events shown are not translated, I can't tell what account 345 is.

I am assuming by its low number that its a system account. The rule above drops all auditing of chmod syscalls for the 345 user account.

> I mean if the userId(345) is logging in manually to the system and does some

> operation that will also be exclude.

Again, I can onlt speculate what that account is. If its a daemon, then it

should have auid=-1 and the system works fine. Because the auid is 500, that

tells me that user 500 started it. Because uid!=auid, I assume its either

setuid or user 500 changed to root and then issued, "service ohasd restart".

Its one or the other.

If user 500 changed to root and restarted the daemon, then a reboot will fix

everything and a permanent solution is not needed. Or you can put the rule in

depending on how often this happens. But if this is for more than one system,

then I'd use the 345 user's name so that auditctl looks it up in case its

different on each machine. reserved accounts are generally under 200.

> We want User inventions  logs messages to be

> captured    but exclude the System generated logs.

The rules you gave have this in them:

-F auid>=500 -F auid!=4294967295

This is to exclude daemons because they have auid of -1 (unless restarted by

hand).

> To be more detail.

>

> Ohasd.bin process is started by the user( while starting the database

> process) we want to captured this log.

The database is not started by the system on boot? Is this a system daemon or

a user session daemon?

> But after that the ohasd.bin process

> is running in background and it does lot of read write operations, we don't

> want those logs.

>

> Can you please let us know the way forward.

I am not familiar with that program, so I still need some answers to help you

figure out the right way to get rid of the events.

-Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141119/5073fa50/attachment.htm>