From mboxrd@z Thu Jan 1 00:00:00 1970 From: PJB Subject: Re: Filtering out non-interactive users Date: Wed, 19 Jan 2011 09:01:55 -0500 Message-ID: <20110119140155.GA4133@monolith> References: <20110114163701.GA31627@monolith> <201101141721.49236.sgrubb@redhat.com> <20110116013929.GA10485@monolith> <201101161000.11655.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.8]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p0JE2Ihj031293 for ; Wed, 19 Jan 2011 09:02:18 -0500 Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0JE27Je002776 for ; Wed, 19 Jan 2011 09:02:08 -0500 Received: from monolith ([unknown] [72.94.244.37]) by vms173017.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LF90043FWB8GJI0@vms173017.mailsrvcs.net> for linux-audit@redhat.com; Wed, 19 Jan 2011 08:02:03 -0600 (CST) Content-disposition: inline In-reply-to: <201101161000.11655.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sun, Jan 16, 2011 at 10:00:11AM -0500, Steve Grubb [sgrubb@redhat.com] wrote: > > > > Can someone point me to documentation/examples or help me out with the > > > > proper syntax for setting up rules that will exclude the background > > > > processes? We are using auditd 1.7.4 now and the 'auid' filter above no > > > > longer does the job. > > > > > > There's been a lot of bugs fixed since then. You might try building a > > > newer auditctl and trying it out to see if that makes a difference. Also > > > note that the event capturing is done by the kernel and the kernel > > > version would matter more than the auditd version. > > > > Unfortunately I'm in one of those situations where changing software > > versions will cause severe heartburn with management and customer types > > due to concerns about baseline stability, so I have to stick with what we > > have right now. The kernel is 2.6.33.1 with no extra patches, as far as I > > know. > > That should work unless the is a 32 bit bug everyone has missed or you have another > rule preventing the logging. If you do cat /proc/self/loginuid, do you get a number > > 0? Also, if you use auid!=4294967295, does that work? The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the filters, when I run 'auditctl -l' the rules are listed, but each one has 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all tagged with auid 4294967295. Is this proper or did I stumble upon a bug after all? I've managed a workaround for most of my systems; since we do not permit direct root login to anything, using a filter of '-F uid!=0' manages to filter out most of the background activity. However I do have a couple of systems that only have a root user so this method does not work. Thanks again! Patrick