Excluding audit for BIND daemon

Steve Grubb sgrubb at redhat.com
Sat Sep 23 18:54:47 UTC 2017 

Hello,

On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote:
> As per the config file which I had sent (/etc/audit/audit.rules); below
> line has root_action
> 
> *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
> root_action*

If you wanted just people and not daemons, then I would suggest changing the
rule to this:

-a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action

However, that is likely to trigger way more events than you need. Because this
will trigger on every single syscall and slow down the system. What you would
normally want to know is which commands were run as root. A rule for that
would look like this:

-a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action
-a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action

Another approach would be to enable keystroke logging. This would involve
adding pam_audit_tty to the su and sudo pam configs. Use the default setting
shown in the pam man page. If you do this, then don't have the root_action
rule because you'll get double information.

And last bit of advice...there are pre-written rules that you can install. On
Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules
file that explains how to use them.

-Steve

> I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
> 
> Thanks!
> 
> 
> 
> Best Regards,
> Rituraj B
> 
> On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > > Continued...from previous mail of mine..
> > > 
> > > While I am reading and exploring much on auditd & on how I can have a
> > > proper central system where logs are stored and daily reports get
> > > generated, you might want to look at my config file on server and
> > > suggest/recommend if anything - would appreciate if any pointers.
> > > 
> > > I am using default config which came with Ubuntu 16.04 and only change
> > 
> > was*
> > 
> > > "-F auid!=4294967295"* on line where root_action is defined .
> > 
> > There is no rule, root_action, that is shipped with the audit package. I
> > would
> > be interested in seeing it if you could copy and paste it into a reply.
> > 
> > -Steve

More information about the Linux-audit mailing list