From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Excluding events by command
Date: Tue, 18 Sep 2012 13:29 -0400
Message-ID: <2249732.seR61OZ2Dd@x2>
References: <CAJA1D03WHEs45zR86TRZn3W5YH3fCsQfBu6EA+JtL129X7jX2w@mail.gmail.com>
	<6331664.9tKZqKR1nW@x2>
	<CALnj_=6Sn03Uog4nQjccDqzWho4kFEcDHpEV87QAtyvNXd9DPA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CALnj_=6Sn03Uog4nQjccDqzWho4kFEcDHpEV87QAtyvNXd9DPA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <pmoody@google.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday, September 18, 2012 10:12:53 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, September 18, 2012 06:50:08 PM Laura Mart=EDn wrote:
> >> I'm trying to exclude cron events from audit logging. I can't see how =
can
> >> I do to only exclude this kind of entries:
> >> =

> >> ----
> >> time->Mon Sep 17 11:00:01 2012
> >> type=3DPATH msg=3Daudit(1347872401.521:5212): item=3D0
> >> name=3D"/etc/pam.d/system-auth" inode=3D33635 dev=3Dfd:00 mode=3D01006=
44 ouid=3D0
> >> ogid=3D0 rdev=3D00:00
> >> type=3DCWD msg=3Daudit(1347872401.521:5212):  cwd=3D"/var/spool"
> >> type=3DSYSCALL msg=3Daudit(1347872401.521:5212): arch=3Dc000003e sysca=
ll=3D2
> >> success=3Dyes exit=3D5 a0=3D2b5b7b627300 a1=3D0 a2=3D1b6 a3=3D0 items=
=3D1 ppid=3D11640
> >> pid=3D1965 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=
=3D0 egid=3D0 sgid=3D0
> >> fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D"crond" exe=3D"/usr/sbi=
n/crond"
> >> key=3D(null)
> >> ----
> >> =

> >> I didn't see any option to exclude events by 'exe' or 'comm' field.
> >> =

> >> Any hints?
> > =

> > There is the possibility to exclude events by SE Linux context. But I
> > don't see a SE Linux context in your event. So, without SE Linux being
> > enabled...there's not much you can do.
> > =

> > There was a patch to audit by process name, which might address this
> > problem, but its not accepted yet.
> =

> my patch only allows for positive match, not negative matching. I was
> afraid someone saying something like, '-a exit,always -S open -F
> exe!=3D/bin/bash' but I suppose like any audit rule, it could be a
> caveat emptor sort of thing.
> =

> I'll modify that patch and resend it, but it doesn't help the current
> situation.

I was thinking something like
-a exit,never -S open -F exe=3D/bin/bash

-Steve