From: Steve Grubb <sgrubb@redhat.com>
To: Tilden Doran D <tilden.doran.d@ericsson.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Excluding few executable from audit.rules in redhat6.5
Date: Tue, 18 Nov 2014 10:25:45 -0500 [thread overview]
Message-ID: <1748821.1UEmklyQaj@x2> (raw)
In-Reply-To: <08DF6CD1326DBF4A80321CEA93761E5F1CB1C686@eusaamb103.ericsson.se>
On Tuesday, November 18, 2014 10:22:55 AM Tilden Doran D wrote:
> Hi
>
> auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 auditctl -A
> exit,never -F arch=b64 -S chmod -F uid=345
>
> we would require a permanent fix. If UID=345 is used, I believe that all
> auditing functionality will not work for user ID=345,
Because the events shown are not translated, I can't tell what account 345 is.
I am assuming by its low number that its a system account. The rule above
drops all auditing of chmod syscalls for the 345 user account.
> I mean if the userId(345) is logging in manually to the system and does some
> operation that will also be exclude.
Again, I can onlt speculate what that account is. If its a daemon, then it
should have auid=-1 and the system works fine. Because the auid is 500, that
tells me that user 500 started it. Because uid!=auid, I assume its either
setuid or user 500 changed to root and then issued, "service ohasd restart".
Its one or the other.
If user 500 changed to root and restarted the daemon, then a reboot will fix
everything and a permanent solution is not needed. Or you can put the rule in
depending on how often this happens. But if this is for more than one system,
then I'd use the 345 user's name so that auditctl looks it up in case its
different on each machine. reserved accounts are generally under 200.
> We want User inventions logs messages to be
> captured but exclude the System generated logs.
The rules you gave have this in them:
-F auid>=500 -F auid!=4294967295
This is to exclude daemons because they have auid of -1 (unless restarted by
hand).
> To be more detail.
>
> Ohasd.bin process is started by the user( while starting the database
> process) we want to captured this log.
The database is not started by the system on boot? Is this a system daemon or
a user session daemon?
> But after that the ohasd.bin process
> is running in background and it does lot of read write operations, we don't
> want those logs.
>
> Can you please let us know the way forward.
I am not familiar with that program, so I still need some answers to help you
figure out the right way to get rid of the events.
-Steve
next prev parent reply other threads:[~2014-11-18 15:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-17 15:02 Excluding few executable from audit.rules in redhat6.5 Tilden Doran D
2014-11-17 15:30 ` Steve Grubb
2014-11-17 16:14 ` LC Bruzenak
2014-11-17 16:42 ` Steve Grubb
2014-11-17 17:09 ` Steve Grubb
2014-11-18 10:22 ` Tilden Doran D
2014-11-18 15:25 ` Steve Grubb [this message]
2014-11-19 5:38 ` Tilden Doran D
2014-11-19 15:31 ` Steve Grubb
2014-11-18 10:10 ` Tilden Doran D
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1748821.1UEmklyQaj@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=tilden.doran.d@ericsson.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox