From: Tomas Mraz <tmraz@redhat.com>
To: "Call, Tom H" <tom.h.call@lmco.com>
Cc: linux-audit@redhat.com
Subject: Re: Do not record auditd events for crond attemps
Date: Tue, 03 Mar 2009 17:26:28 +0100 [thread overview]
Message-ID: <1236097589.4551.211.camel@vespa.frost.loc> (raw)
In-Reply-To: <F52B06C2296C6144AACF23676E96DDBD12A6E8A2@emss03m13.us.lmco.com>
On Tue, 2009-03-03 at 11:16 -0500, Call, Tom H wrote:
> Steve, et.al.
>
> Here is a representative sample of audit.log entries recorded
> whenever cron periodically (every minute) queries for cron entries
> that need execution.
>
Are your sure that these entries are created even when no cron jobs are
executed? That means you do not have any cron jobs which are expected to
be run once in a minute? If that was a case I'd call it a bug. Cron must
audit only when it executes a job not on each wakeup (once in a minute).
>
> These events typically comprise at least 80% of all the audit.log
> entries although they are repetitive thoughout the log and do not
> indicate any user attempt to compromise the system.
>
> Is there any relatively straight forward way that I can configure
> Auditd to not record events for crond routinely running as root?
>
> I am using audit-1.0.16-3.el4 on CentOS-4.7
>
> Thanks!
>
> Tom Call, LMCO
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
prev parent reply other threads:[~2009-03-03 16:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-03 16:16 Do not record auditd events for crond attemps Call, Tom H
2009-03-03 16:26 ` Tomas Mraz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1236097589.4551.211.camel@vespa.frost.loc \
--to=tmraz@redhat.com \
--cc=linux-audit@redhat.com \
--cc=tom.h.call@lmco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox