From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
To: linux-audit@redhat.com
Subject: Re: Captured system calls that should be filtered out
Date: Fri, 20 Jan 2012 14:49:57 -0200 [thread overview]
Message-ID: <4F199B35.5070507@linux.vnet.ibm.com> (raw)
In-Reply-To: <CBB5698646A30145BEE8F5E81D089F1C01F3E88A@XMBC3085.northgrum.com>
Hi,
Try auid!=4294967295 instead of auid!=4294967296.
Regards,
Marcelo
On 01/20/2012 02:27 PM, Kaplan, Eric D (IS) wrote:
> I am trying to implement STIG rules for our system. I modified Steve
> Grubbs' stig.rules for my audit.rules file. Included
> was the rule
> -a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F
> auid!=4294967296 -k perm_mod
> which I understand should exempt root and unset processes from having
> these system calls captured. Yet
> in our audit.logs there was a torrent of records of the sort
> type=SYSCALL msg=audit(1326897520.970:2005250): arch=c000003e
> syscall=91 per=400000 success=yes exit=0 a0=1 a1=100 a2=0
> a3=7fff21800870 items=1 ppid=3536 pid=20965 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="time_adjust.ksh" exe="/bin/ksh93" key="perm_mod"
> type=PATH msg=audit(1326897520.970:2005250): item=0 name=(null)
> inode=25631356 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00
> and
> type=SYSCALL msg=audit(1326897480.144:2005238): arch=c000003e
> syscall=91 per=400000 success=yes exit=0 a0=5 a1=100 a2=0
> a3=7fffa8f157d0 items=1 ppid=20707 pid=20726 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="find_client_sta" exe="/bin/ksh93" key="perm_mod"
> type=PATH msg=audit(1326897480.144:2005238): item=0 name=(null)
> inode=25630808 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00
> I need to get rid of them to make annalysis possible and to avoid
> soaking up disk space.
> find_client_status.ksh and time_adjust.ksh are both scripts that are
> spawned by a daemon running as root.
> I attach my version of audit.rules.
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2012-01-20 16:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-20 16:27 Captured system calls that should be filtered out Kaplan, Eric D (IS)
2012-01-20 16:49 ` Marcelo Cerri [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F199B35.5070507@linux.vnet.ibm.com \
--to=mhcerri@linux.vnet.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox