Question about excluding rules

Moshe Rechtman mrechtma at redhat.com
Mon Feb 24 00:27:37 UTC 2020 

Hello Steve,

Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact

# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve

With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.

Kind regards,
Moshe


Moshe Rechtman

Technical Support Engineer

Red Hat Israel <https://www.redhat.com/>

34 Jerusalem rd. Ra'anana, 43501

*mrechtma at redhat.com <kweg at redhat.com> *  T: *+972-9-**7692289 *
M: *+972-54-4971516*   F: +972-9-7692223
@RedHat <https://twitter.com/redhat>   Red Hat
<https://www.linkedin.com/company/red-hat>  Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>


On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb at redhat.com> wrote:

> On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> > Thanks so much for your help! I've included your suggested filter in
> > audit.rules as shown below:
> >
> > # cat audit.rules1
> >
> >       1 # This file contains the auditctl rules that are loaded
> >       2 # whenever the audit daemon is started via the initscripts.
> >       3 # The rules are simply the parameters that would be passed
> >       4 # to auditctl.
> >       5 # First rule - delete all
> >       6 -D
> >       7 # Increase the buffers to survive stress events.
> >       8 # Make this bigger for busy systems
> >       9 -b 320
> >      10 ### Feel free to add below this line. See auditctl man page
> >      11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> >      12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> >      13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> >      14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> >      15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> > rootact
> >      16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> > rootact
>
> It won't work this way. You now have 2 sets of rootact. The audit rule
> engine
> is a first match wins. So, this second set of rules will never trigger.
> The
> rule I mentioned was supposed to replace the rule in the list.
>
> > After restarting the auditd service following error received:
> >
> > # service auditd restart
> > Stopping auditd:                                           [  OK  ]
> > Starting auditd:                                           [  OK  ]
> > Unknown user: unset
> > -F unknown field: auid
>
> OK. I guess this is really old. Then make it auid=-1
>
> -Steve
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200224/68e05335/attachment.htm>

More information about the Linux-audit mailing list