public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* FW: Exclusion of Linux "top" command in Audit Rules
@ 2008-09-08 13:10 Sincox, Anthony P
  2008-09-08 14:53 ` Keith Kaple
  0 siblings, 1 reply; 2+ messages in thread
From: Sincox, Anthony P @ 2008-09-08 13:10 UTC (permalink / raw)
  To: linux-audit

I'm still looking for suggestions. 

Thanks,

Tony

 
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Sincox, Anthony P
Sent: Tuesday, August 26, 2008 12:27 PM
To: linux-audit@redhat.com
Subject: Exclusion of Linux "top" command in Audit Rules

Looking for some assistance.

I am trying to keep from logging activity of a Linux command we keep running in the foreground to monitor the progress of a scripting task. We monitor the progress of this task using the Linux "top" command.

I'm trying to figure out how to use the "exclude" filter in the audit rules to exclude logging of this "top" command. I am running on the Fedora 7 O/S. I am also utilizing the nispom.rules for the audit daemon.

The logging I'm receiving is similar to this:

type=SYSCALL msg=audit(1219770680.762:206): arch=40000003 syscall=5 success=no exit=-13 a0=92df4b a1=8002 a2=bf82f338 a3=92df51 items=1 ppid=8076 pid=8208 auid=500 uid=500 gid=510 euid=500 suid=500 fsuid=500 egid=510 sgid=510 fsgid=510 tty=pts2 comm="top" exe="/usr/bin/top" key="open"
type=CWD msg=audit(1219770680.762:206):  cwd="/usr/local/people/tony"
type=PATH msg=audit(1219770680.762:206): item=0 name="/var/run/utmp" inode=2074631 dev=08:02 mode=0100664 ouid=0 ogid=22 rdev=00:00

This is the type of logging I'm trying to exclude. Any ideas would be helpful.

Thanks,

Tony Sincox

 



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: FW: Exclusion of Linux "top" command in Audit Rules
  2008-09-08 13:10 FW: Exclusion of Linux "top" command in Audit Rules Sincox, Anthony P
@ 2008-09-08 14:53 ` Keith Kaple
  0 siblings, 0 replies; 2+ messages in thread
From: Keith Kaple @ 2008-09-08 14:53 UTC (permalink / raw)
  To: Sincox, Anthony P; +Cc: linux-audit

Strategies I would try are:

1) have the script add a rule via auditctl that excludes the correct pid or parent pid from logging.

2) create a special user for this task and exlude their uid in the rule.

3) copy /usr/bin/top to /usr/bin/topAsUserMonitor and set it to run setuid to some user 'monitor' (who is locked down with a default shell of /bin/nologin and then use strategy 2 excluding uid monitor) then call topAsUserMonitor instead of regular top from your script.

So your rule would look something like this:

-a exit,always -S open -F exit=-13 -F ppid!=<pid of script>

- or -

-a exit,always -S open -F exit=-13 -F uid!=monitor


hth,

Keith



On Mon, Sep 08, 2008 at 09:10:34AM -0400, Sincox, Anthony P wrote:
> I'm still looking for suggestions. 
> 
> Thanks,
> 
> Tony
> 
>  
> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Sincox, Anthony P
> Sent: Tuesday, August 26, 2008 12:27 PM
> To: linux-audit@redhat.com
> Subject: Exclusion of Linux "top" command in Audit Rules
> 
> Looking for some assistance.
> 
> I am trying to keep from logging activity of a Linux command we keep running in the foreground to monitor the progress of a scripting task. We monitor the progress of this task using the Linux "top" command.
> 
> I'm trying to figure out how to use the "exclude" filter in the audit rules to exclude logging of this "top" command. I am running on the Fedora 7 O/S. I am also utilizing the nispom.rules for the audit daemon.
> 
> The logging I'm receiving is similar to this:
> 
> type=SYSCALL msg=audit(1219770680.762:206): arch=40000003 syscall=5 success=no exit=-13 a0=92df4b a1=8002 a2=bf82f338 a3=92df51 items=1 ppid=8076 pid=8208 auid=500 uid=500 gid=510 euid=500 suid=500 fsuid=500 egid=510 sgid=510 fsgid=510 tty=pts2 comm="top" exe="/usr/bin/top" key="open"
> type=CWD msg=audit(1219770680.762:206):  cwd="/usr/local/people/tony"
> type=PATH msg=audit(1219770680.762:206): item=0 name="/var/run/utmp" inode=2074631 dev=08:02 mode=0100664 ouid=0 ogid=22 rdev=00:00
> 
> This is the type of logging I'm trying to exclude. Any ideas would be helpful.
> 
> Thanks,
> 
> Tony Sincox
> 
>  
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
    |       |
. | | | . | | | .
    '       ' 
    C I S C O
    GGSG VoIP   

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-09-08 14:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-08 13:10 FW: Exclusion of Linux "top" command in Audit Rules Sincox, Anthony P
2008-09-08 14:53 ` Keith Kaple

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox