Question about excluding rules
Moshe Rechtman
mrechtma at redhat.com
Fri Feb 21 00:04:37 UTC 2020
Hello Steve,
Thanks for the quick response.
Those particular logs generated by a third party monitoring application
named Microfocus, which keeps on running "ps -auxwwww" command and filling
up quickly the audit log.
Please your advice..
Thanks in adbance,
Kind regards,
Moshe
בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb at redhat.com>:
> On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > Hello Experts,
> >
> > We have a big customer that facing the following issue on RHEL 6.2.
> > As per customer request I've configured the following rules:
> >
> > $ cat audit.rules
> >
> > # This file contains the auditctl rules that are loaded
> > # whenever the audit daemon is started via the initscripts.
> > # The rules are simply the parameters that would be passed
> > # to auditctl.
> >
> > # First rule - delete all
> > -D
> >
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> >
> > # Feel free to add below this line. See auditctl man page
> >
> > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> >
> >
> > Audit start working as expected. Now customer is asking to exclude/ignore
> > the following from audit logs:
> >
> > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > key="rootact"
> > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > a2=2F62696E2F70732061757877777777
> > type=CWD msg=audit(1581664357.597:257516):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > exe="/bin/ps" key="rootact"
> > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > What would be the best way to exclude such audit?
> > Your help would be much appreciated.
>
> What's objectionable about these events? The fact that its got a key says
> they think they wanted it.
>
> -Steve
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200221/dceab7c3/attachment.htm>
More information about the Linux-audit
mailing list