From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Excluding few executable from audit.rules in redhat6.5
Date: Mon, 17 Nov 2014 10:30:38 -0500 [thread overview]
Message-ID: <2049003.dURlEamkhM@x2> (raw)
In-Reply-To: <08DF6CD1326DBF4A80321CEA93761E5F1CB1A523@eusaamb103.ericsson.se>
On Monday, November 17, 2014 03:02:12 PM Tilden Doran D wrote:
> I am new to Redhat Audit logging.
> Our Server Configurations: Redhat 6.5 OS and Oracle 11g , and SELinux is
> enabled.
>
> We are getting lots of logs messages in /var/log/messages.
>
> type=SYSCALL msg=audit(1416235337.083:2109222): arch=c000003e syscall=90
> success=yes exit=0 a0=7f52ae9f1a20 a1=3ff a2=ffffffffffffff88
> a3=fffffffffffffff0 items=1 ppid=1 pid=46859 auid=500 uid=345 gid=345
> euid=345 suid=345 fsuid=345 egid=345 sgid=345 fsgid=345 tty=(none) ses=28
> comm="ohasd.bin" exe="/opt/oracle_homes/oracle/grid/11.2.0/bin/ohasd.bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"
> type=PATH msg=audit(1416235337.083:2109222): item=0
> name="/opt/oracle_homes/oracle/grid/11.2.0/auth/ohasd/dl360x3364/A7679703"
> inode=4718596 dev=fd:00 mode=041755 ouid=345 ogid=345 rdev=00:00
> obj=unconfined_u:object_r:usr_t:s0 nametype=NORMAL
>
>
> Later we found and removed message type "CWD", but still we are getting lot
> of logs.
>
> And also found that the below mentioned executable are creating the problem.
>
> 13351. 11/16/2014 18:11:34
> /opt/oracle_homes/oracle/grid/11.2.0/bin/ohasd.bin (none) ? 500 1599360
> 13352. 11/16/2014 18:11:34 /opt/oracle_homes/oracle/rdbms/11.2.0/bin/oracle
> (none) ? 500 1599354 13353. 11/16/2014 18:11:34
> /opt/oracle_homes/oracle/grid/11.2.0/bin/oraagent.bin (none) ? 500 1599361
>
> Can you please help me in excluding the above mentioned Executable `s in
> the audit. rules files .
Well, what do you really want to do? In general, I'd look at the original
auditing rule to see if its scope can be narrowed. In this case, it appears
that you are wanting all calls to chmod. Why? Are you more concerned with
failed calls to chmod, meaning a user is trying to change system files? Are
system daemons calling chmod OK? Or do you really want everything? Or do you
want no events at all for that daemon no matter what the syscall?
The event you are showing is that app successfully making a directory world
writable/readable. Its setting the sticky bit, so its "safe."
-Steve
next prev parent reply other threads:[~2014-11-17 15:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-17 15:02 Excluding few executable from audit.rules in redhat6.5 Tilden Doran D
2014-11-17 15:30 ` Steve Grubb [this message]
2014-11-17 16:14 ` LC Bruzenak
2014-11-17 16:42 ` Steve Grubb
2014-11-17 17:09 ` Steve Grubb
2014-11-18 10:22 ` Tilden Doran D
2014-11-18 15:25 ` Steve Grubb
2014-11-19 5:38 ` Tilden Doran D
2014-11-19 15:31 ` Steve Grubb
2014-11-18 10:10 ` Tilden Doran D
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2049003.dURlEamkhM@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox