From mboxrd@z Thu Jan  1 00:00:00 1970
From: PJB <pjb@decafgeek.org>
Subject: Filtering out non-interactive users
Date: Fri, 14 Jan 2011 11:37:01 -0500
Message-ID: <20110114163701.GA31627@monolith>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com
	[10.5.110.12])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id p0EGbSdl001223
	for <linux-audit@redhat.com>; Fri, 14 Jan 2011 11:37:28 -0500
Received: from vms173011pub.verizon.net (vms173011pub.verizon.net
	[206.46.173.11])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0EGbHnl022586
	for <linux-audit@redhat.com>; Fri, 14 Jan 2011 11:37:18 -0500
Received: from monolith ([unknown] [72.94.244.37]) by vms173011.mailsrvcs.net
	(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16
	2009)) with ESMTPA id <0LF000AOXU5P0980@vms173011.mailsrvcs.net> for
	linux-audit@redhat.com; Fri, 14 Jan 2011 10:37:08 -0600 (CST)
Content-disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I've recently been working on a number of systems that need to fulfill
auditing requirements for things such as "failed program executions,"
"failed file/directory deletions" and such, and we have been attempting to
use auditd to fulfill these requirements. However we've been having
difficulty filtering out the 'noise' from non-interactive processes since
our requirements only need us to capture these events for real human
users.

In older versions of the audit code, we used the following type of system
call auditing rule which seemed to work pretty well:

-a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F
success=0 -F auid!=-1


Filtering on an 'auid!=-1' seemed to do a very good job of stripping out
system calls from daemon processes and such. However at some point I guess
this was changed because we no longer seem to be able to capture any
system calls at all when we have this filter defined on a rule.

Can someone point me to documentation/examples or help me out with the
proper syntax for setting up rules that will exclude the background
processes? We are using auditd 1.7.4 now and the 'auid' filter above no
longer does the job.

Any help would be very much appreciated! Thanks.
Patrick