From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keith Kaple Subject: Re: FW: Exclusion of Linux "top" command in Audit Rules Date: Mon, 8 Sep 2008 10:53:36 -0400 Message-ID: <20080908145336.GE16086@cisco.com> References: <0444EF1DBF0E6D4ABFA7AA7451FFFDEF03291E@CHNMICMB03.ManTech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m88Erv0I020057 for ; Mon, 8 Sep 2008 10:53:57 -0400 Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m88ErjbI029547 for ; Mon, 8 Sep 2008 10:53:45 -0400 Content-Disposition: inline In-Reply-To: <0444EF1DBF0E6D4ABFA7AA7451FFFDEF03291E@CHNMICMB03.ManTech.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Sincox, Anthony P" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Strategies I would try are: 1) have the script add a rule via auditctl that excludes the correct pid = or parent pid from logging. 2) create a special user for this task and exlude their uid in the rule. 3) copy /usr/bin/top to /usr/bin/topAsUserMonitor and set it to run setui= d to some user 'monitor' (who is locked down with a default shell of /bin= /nologin and then use strategy 2 excluding uid monitor) then call topAsUs= erMonitor instead of regular top from your script. So your rule would look something like this: -a exit,always -S open -F exit=3D-13 -F ppid!=3D - or - -a exit,always -S open -F exit=3D-13 -F uid!=3Dmonitor hth, Keith On Mon, Sep 08, 2008 at 09:10:34AM -0400, Sincox, Anthony P wrote: > I'm still looking for suggestions.=20 >=20 > Thanks, >=20 > Tony >=20 > =20 > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat= .com] On Behalf Of Sincox, Anthony P > Sent: Tuesday, August 26, 2008 12:27 PM > To: linux-audit@redhat.com > Subject: Exclusion of Linux "top" command in Audit Rules >=20 > Looking for some assistance. >=20 > I am trying to keep from logging activity of a Linux command we keep ru= nning in the foreground to monitor the progress of a scripting task. We m= onitor the progress of this task using the Linux "top" command. >=20 > I'm trying to figure out how to use the "exclude" filter in the audit r= ules to exclude logging of this "top" command. I am running on the Fedora= 7 O/S. I am also utilizing the nispom.rules for the audit daemon. >=20 > The logging I'm receiving is similar to this: >=20 > type=3DSYSCALL msg=3Daudit(1219770680.762:206): arch=3D40000003 syscall= =3D5 success=3Dno exit=3D-13 a0=3D92df4b a1=3D8002 a2=3Dbf82f338 a3=3D92d= f51 items=3D1 ppid=3D8076 pid=3D8208 auid=3D500 uid=3D500 gid=3D510 euid=3D= 500 suid=3D500 fsuid=3D500 egid=3D510 sgid=3D510 fsgid=3D510 tty=3Dpts2 c= omm=3D"top" exe=3D"/usr/bin/top" key=3D"open" > type=3DCWD msg=3Daudit(1219770680.762:206): cwd=3D"/usr/local/people/t= ony" > type=3DPATH msg=3Daudit(1219770680.762:206): item=3D0 name=3D"/var/run/= utmp" inode=3D2074631 dev=3D08:02 mode=3D0100664 ouid=3D0 ogid=3D22 rdev=3D= 00:00 >=20 > This is the type of logging I'm trying to exclude. Any ideas would be h= elpful. >=20 > Thanks, >=20 > Tony Sincox >=20 > =A0 >=20 >=20 >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >=20 >=20 >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit --=20 | | . | | | . | | | . ' '=20 C I S C O GGSG VoIP =20