Re: Excluding the single executable on the top of audit.rules

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Tuesday, August 19, 2014 11:07:18 AM Исаев Виталий Анатольевич wrote:
> I would like to ask for an explanation about making my audit.rules proper.
> What am I trying to do is to exclude all the syscall events coming from
> exe="/usr/bin/pulseaudio" and its components. At the moment about 95% of
> audit log is filled with messages related to pulseaudio:
> 
> # aureport -x -if my.log --summary
> Executable Summary Report
> =================================
> total  file
> =================================
> 1156923  /usr/bin/pulseaudio

I would be curious which rule you are getting hit with. Normally, you design 
the rules so that a properly running system does not cause events. This means 
qualifying the rules with something like EPERM or EACCES so that you only log 
real problems and not normal system operation. That said, at the moment, the 
best way to remove a single process is to use selinux types in the audit 
event. However, this trick does not work in this case because pulseaudio has 
no SE Linux policy. You would almost want to give it a type that maps to 
unconfined_t. Then you could write a rule like:

-a exit,never -S all -F subj_type=pulseaudio_t

You would place that at the top of the rules so it matches first. There was 
work going on to match against an executable name. But I haven't seen any 
progress in a long time. If that were finished, it would solve your problem.

-Steve


> 191719  /usr/libexec/pulse/gconf-helper
> 49282  /usr/bin/gnome-volume-control-applet
> 8035  /usr/libexec/gnome-settings-daemon
> 1045  /usr/sbin/crond
> 265  /usr/bin/nautilus
> 23  /usr/sbin/sshd
> 
> Please look through the current version of audit.rules. How should I modify
> them?
> 
> # First rule - delete all
> -D
> 
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> 
> # Feel free to add below this line. See auditctl man page
> #-a exit,never -F exe=/usr/bin/pulseaudio -S open
> -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
> auid!=429496729 -S open -a exit,always -F arch=x86_64 -F uid>=500 -F
> gid>=500 -F ppid!=1 -F auid!=429496729 -S execve -a exit,always -F
> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fork
> -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
> auid!=429496729 -S vfork -a exit,always -F arch=x86_64 -F uid>=500 -F
> gid>=500 -F ppid!=1 -F auid!=429496729 -S exit -a exit,always -F
> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S
> exit_group -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1
> -F auid!=429496729 -S getdents -a exit,always -F arch=x86_64 -F uid>=500 -F
> gid>=500 -F ppid!=1 -F auid!=429496729 -S chmod -a exit,always -F
> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmod
> -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
> auid!=429496729 -S fchmodat -a exit,always -F arch=x86_64 -F uid>=500 -F
> gid>=500 -F ppid!=1 -F auid!=429496729 -S chown -a exit,always -F
> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchown
> -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
> auid!=429496729 -S lchown -a exit,always -F arch=x86_64 -F uid>=500 -F
> gid>=500 -F ppid!=1 -F auid!=429496729 -S fchownat -a exit,always -F
> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlink
> -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
> auid!=429496729 -S unlinkat
> 
> P.S. We're using RHEL 6.4 with audit-2.2-2.el6.x86_64.
> 
> Sincerely,
> Vitaly Isaev
> Software engineer
> Information security department
> Fintech JSC, Moscow, Russia


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit