Excluding few executable from audit.rules in redhat6.5

Steve Grubb sgrubb at redhat.com
Wed Nov 19 15:31:11 UTC 2014 

Hello,

On Wednesday, November 19, 2014 05:38:24 AM Tilden Doran D wrote:
> The User 345 is oracle user. Which is used for oracle related activities in
> the system.
> 
> The command which we issue is srvctl stop/start database. We always install
> oracle and start manually for the first time.
> 
> As you mentioned, on reboot the system, it not generating too many logs. But
> the problem is,  we cannot reboot the system every time, which only
> requires DB restart.  Because application also be hosted in the same
> system.
 
OK. 
 
> The Srvctl command internally starts the ohasd.bin.
> 
> So can we avoid it, I mean do we have an option to exclude the ohasd.bin by
> using something like "-F exe!=ohasd.bin " or "-F path!= ...." . I tried
> both, it is not working.

These are not possible. I have lobbied for audit by executable for a couple of 
years. We are close to having it ready to go into the upstream kernel. But its 
not ready and can't be used.

Normally one could exclude by SE Linux label, but since your original post 
showed unconfined_t, then that means there is no policy because the daemon did 
not transition out of unconfined_t.


> Because "-F UID!=345" will  restrict all the logs.

The rule that I gave you would filter only the chmod syscall caused by anything 
with uid = 345. I think that is about the most reasonable choice you have 
short of doing some selinux policy work so we have something pid specific to 
match against.

> Can we restrict the log which is generated by that particular
> process/application.  ?

You could add a rule using the pid, but next restart you'll have to change the 
rule to the new pid. And probably by the time you can type that rule in, the 
daemon has already done all the chmod that its going to do.

Maybe if the event are localized to a specific directory, you can do something 
like:

auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 -F 
dir=/opt/oracle_homes/oracle/
auditctl -A exit,never -F arch=b64 -S chmod -F uid=345 -F 
dir=/opt/oracle_homes/oracle/


-Steve

More information about the Linux-audit mailing list