* Do not record auditd events for crond attemps
@ 2009-03-03 16:16 Call, Tom H
2009-03-03 16:26 ` Tomas Mraz
0 siblings, 1 reply; 2+ messages in thread
From: Call, Tom H @ 2009-03-03 16:16 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1575 bytes --]
Steve, et.al.
Here is a representative sample of audit.log entries recorded whenever
cron periodically (every minute) queries for cron entries that need
execution.
"
type=USER_ACCT msg=audit(1236084901.871:2382): user pid=20156 uid=0
auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=LOGIN msg=audit(1236084901.871:2383): login pid=20156 uid=0 old
auid=4294967295 new auid=0
type=USER_START msg=audit(1236084901.871:2384): user pid=20156 uid=0
auid=0 msg='PAM session open: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=CRED_ACQ msg=audit(1236084901.871:2385): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=CRED_DISP msg=audit(1236084902.141:2386): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1236084902.141:2387): user pid=20156 uid=0
auid=0 msg='PAM session close: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
"
These events typically comprise at least 80% of all the audit.log
entries although they are repetitive thoughout the log and do not
indicate any user attempt to compromise the system.
Is there any relatively straight forward way that I can configure
Auditd to not record events for crond routinely running as root?
I am using audit-1.0.16-3.el4 on CentOS-4.7
Thanks!
Tom Call, LMCO
[-- Attachment #1.2: Type: text/html, Size: 3900 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Do not record auditd events for crond attemps
2009-03-03 16:16 Do not record auditd events for crond attemps Call, Tom H
@ 2009-03-03 16:26 ` Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2009-03-03 16:26 UTC (permalink / raw)
To: Call, Tom H; +Cc: linux-audit
On Tue, 2009-03-03 at 11:16 -0500, Call, Tom H wrote:
> Steve, et.al.
>
> Here is a representative sample of audit.log entries recorded
> whenever cron periodically (every minute) queries for cron entries
> that need execution.
>
Are your sure that these entries are created even when no cron jobs are
executed? That means you do not have any cron jobs which are expected to
be run once in a minute? If that was a case I'd call it a bug. Cron must
audit only when it executes a job not on each wakeup (once in a minute).
>
> These events typically comprise at least 80% of all the audit.log
> entries although they are repetitive thoughout the log and do not
> indicate any user attempt to compromise the system.
>
> Is there any relatively straight forward way that I can configure
> Auditd to not record events for crond routinely running as root?
>
> I am using audit-1.0.16-3.el4 on CentOS-4.7
>
> Thanks!
>
> Tom Call, LMCO
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-03-03 16:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-03 16:16 Do not record auditd events for crond attemps Call, Tom H
2009-03-03 16:26 ` Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox