Question about excluding rules
Steve Grubb
sgrubb at redhat.com
Fri Feb 21 13:53:35 UTC 2020
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
More information about the Linux-audit
mailing list