Question about excluding rules

Thu Feb 20 23:36:46 UTC 2020

Hello Experts,

We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules:

$ cat audit.rules

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=500 -S execve -k useract

Audit start working as expected. Now customer is asking to exclude/ignore
the following from audit logs:

type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
key="rootact"
type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
a2=2F62696E2F70732061757877777777
type=CWD msg=audit(1581664357.597:257516):  cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL

ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
exe="/bin/ps" key="rootact"
type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww"
type=CWD msg=audit(1581664357.601:257517):  cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL

What would be the best way to exclude such audit?
Your help would be much appreciated.

Thanks in advance & kind regards,
Moshe

Moshe Rechtman

Technical Support Engineer

Red Hat Israel <https://www.redhat.com/>

34 Jerusalem rd. Ra'anana, 43501

*mrechtma at redhat.com <kweg at redhat.com> *  T: *+972-9-**7692289 *
M: *+972-54-4971516*   F: +972-9-7692223
@RedHat <https://twitter.com/redhat>   Red Hat
<https://www.linkedin.com/company/red-hat>  Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200221/2027b2c5/attachment.htm>