From: Keith Kaple <kak@cisco.com>
To: "Sincox, Anthony P" <Tony.Sincox@ManTech.com>
Cc: linux-audit@redhat.com
Subject: Re: FW: Exclusion of Linux "top" command in Audit Rules
Date: Mon, 8 Sep 2008 10:53:36 -0400 [thread overview]
Message-ID: <20080908145336.GE16086@cisco.com> (raw)
In-Reply-To: <0444EF1DBF0E6D4ABFA7AA7451FFFDEF03291E@CHNMICMB03.ManTech.com>
Strategies I would try are:
1) have the script add a rule via auditctl that excludes the correct pid or parent pid from logging.
2) create a special user for this task and exlude their uid in the rule.
3) copy /usr/bin/top to /usr/bin/topAsUserMonitor and set it to run setuid to some user 'monitor' (who is locked down with a default shell of /bin/nologin and then use strategy 2 excluding uid monitor) then call topAsUserMonitor instead of regular top from your script.
So your rule would look something like this:
-a exit,always -S open -F exit=-13 -F ppid!=<pid of script>
- or -
-a exit,always -S open -F exit=-13 -F uid!=monitor
hth,
Keith
On Mon, Sep 08, 2008 at 09:10:34AM -0400, Sincox, Anthony P wrote:
> I'm still looking for suggestions.
>
> Thanks,
>
> Tony
>
>
> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Sincox, Anthony P
> Sent: Tuesday, August 26, 2008 12:27 PM
> To: linux-audit@redhat.com
> Subject: Exclusion of Linux "top" command in Audit Rules
>
> Looking for some assistance.
>
> I am trying to keep from logging activity of a Linux command we keep running in the foreground to monitor the progress of a scripting task. We monitor the progress of this task using the Linux "top" command.
>
> I'm trying to figure out how to use the "exclude" filter in the audit rules to exclude logging of this "top" command. I am running on the Fedora 7 O/S. I am also utilizing the nispom.rules for the audit daemon.
>
> The logging I'm receiving is similar to this:
>
> type=SYSCALL msg=audit(1219770680.762:206): arch=40000003 syscall=5 success=no exit=-13 a0=92df4b a1=8002 a2=bf82f338 a3=92df51 items=1 ppid=8076 pid=8208 auid=500 uid=500 gid=510 euid=500 suid=500 fsuid=500 egid=510 sgid=510 fsgid=510 tty=pts2 comm="top" exe="/usr/bin/top" key="open"
> type=CWD msg=audit(1219770680.762:206): cwd="/usr/local/people/tony"
> type=PATH msg=audit(1219770680.762:206): item=0 name="/var/run/utmp" inode=2074631 dev=08:02 mode=0100664 ouid=0 ogid=22 rdev=00:00
>
> This is the type of logging I'm trying to exclude. Any ideas would be helpful.
>
> Thanks,
>
> Tony Sincox
>
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP
prev parent reply other threads:[~2008-09-08 14:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-08 13:10 FW: Exclusion of Linux "top" command in Audit Rules Sincox, Anthony P
2008-09-08 14:53 ` Keith Kaple [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080908145336.GE16086@cisco.com \
--to=kak@cisco.com \
--cc=Tony.Sincox@ManTech.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox