From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Sincox, Anthony P" <Tony.Sincox@ManTech.com>
Subject: FW: Exclusion of Linux "top" command in Audit Rules
Date: Mon, 8 Sep 2008 09:10:34 -0400
Message-ID: <0444EF1DBF0E6D4ABFA7AA7451FFFDEF03291E@CHNMICMB03.ManTech.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m88DBMVP028836
	for <linux-audit@redhat.com>; Mon, 8 Sep 2008 09:11:22 -0400
Received: from micmail3.mantech.com (micmail3.mantech.com [208.238.133.31])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m88DAZ7c015520
	for <linux-audit@redhat.com>; Mon, 8 Sep 2008 09:10:36 -0400
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I'm still looking for suggestions.=20

Thanks,

Tony

=20
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.c=
om] On Behalf Of Sincox, Anthony P
Sent: Tuesday, August 26, 2008 12:27 PM
To: linux-audit@redhat.com
Subject: Exclusion of Linux "top" command in Audit Rules

Looking for some assistance.

I am trying to keep from logging activity of a Linux command we keep runn=
ing in the foreground to monitor the progress of a scripting task. We mon=
itor the progress of this task using the Linux "top" command.

I'm trying to figure out how to use the "exclude" filter in the audit rul=
es to exclude logging of this "top" command. I am running on the Fedora 7=
 O/S. I am also utilizing the nispom.rules for the audit daemon.

The logging I'm receiving is similar to this:

type=3DSYSCALL msg=3Daudit(1219770680.762:206): arch=3D40000003 syscall=3D=
5 success=3Dno exit=3D-13 a0=3D92df4b a1=3D8002 a2=3Dbf82f338 a3=3D92df51=
 items=3D1 ppid=3D8076 pid=3D8208 auid=3D500 uid=3D500 gid=3D510 euid=3D5=
00 suid=3D500 fsuid=3D500 egid=3D510 sgid=3D510 fsgid=3D510 tty=3Dpts2 co=
mm=3D"top" exe=3D"/usr/bin/top" key=3D"open"
type=3DCWD msg=3Daudit(1219770680.762:206):  cwd=3D"/usr/local/people/ton=
y"
type=3DPATH msg=3Daudit(1219770680.762:206): item=3D0 name=3D"/var/run/ut=
mp" inode=3D2074631 dev=3D08:02 mode=3D0100664 ouid=3D0 ogid=3D22 rdev=3D=
00:00

This is the type of logging I'm trying to exclude. Any ideas would be hel=
pful.

Thanks,

Tony Sincox

=A0



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit