* Excluding events by command
@ 2012-09-18 16:50 Laura Martín
2012-09-18 16:59 ` Steve Grubb
2012-09-18 17:29 ` Laura Martín
0 siblings, 2 replies; 7+ messages in thread
From: Laura Martín @ 2012-09-18 16:50 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 767 bytes --]
Hi all,
I'm trying to exclude cron events from audit logging. I can't see how can I
do to only exclude this kind of entries:
----
time->Mon Sep 17 11:00:01 2012
type=PATH msg=audit(1347872401.521:5212): item=0
name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00
type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
key=(null)
----
I didn't see any option to exclude events by 'exe' or 'comm' field.
Any hints?
Thanks in advance, Laura
[-- Attachment #1.2: Type: text/html, Size: 900 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 16:50 Excluding events by command Laura Martín
@ 2012-09-18 16:59 ` Steve Grubb
2012-09-18 17:12 ` Peter Moody
2012-09-18 17:29 ` Laura Martín
1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2012-09-18 16:59 UTC (permalink / raw)
To: linux-audit
On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
> Hi all,
>
> I'm trying to exclude cron events from audit logging. I can't see how can I
> do to only exclude this kind of entries:
>
>
> ----
> time->Mon Sep 17 11:00:01 2012
> type=PATH msg=audit(1347872401.521:5212): item=0
> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
> ogid=0 rdev=00:00
> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
> key=(null)
> ----
>
> I didn't see any option to exclude events by 'exe' or 'comm' field.
>
> Any hints?
There is the possibility to exclude events by SE Linux context. But I don't
see a SE Linux context in your event. So, without SE Linux being
enabled...there's not much you can do.
There was a patch to audit by process name, which might address this problem,
but its not accepted yet.
But looking at the event, I'm not sure about the usefulness of logging
successful opens in the pam config directory. You might be able to better tune
your rules. Opening for write or opens that fail might be more interesting.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 16:59 ` Steve Grubb
@ 2012-09-18 17:12 ` Peter Moody
2012-09-18 17:29 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: Peter Moody @ 2012-09-18 17:12 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
>> Hi all,
>>
>> I'm trying to exclude cron events from audit logging. I can't see how can I
>> do to only exclude this kind of entries:
>>
>>
>> ----
>> time->Mon Sep 17 11:00:01 2012
>> type=PATH msg=audit(1347872401.521:5212): item=0
>> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
>> ogid=0 rdev=00:00
>> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
>> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
>> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
>> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
>> key=(null)
>> ----
>>
>> I didn't see any option to exclude events by 'exe' or 'comm' field.
>>
>> Any hints?
>
> There is the possibility to exclude events by SE Linux context. But I don't
> see a SE Linux context in your event. So, without SE Linux being
> enabled...there's not much you can do.
>
> There was a patch to audit by process name, which might address this problem,
> but its not accepted yet.
my patch only allows for positive match, not negative matching. I was
afraid someone saying something like, '-a exit,always -S open -F
exe!=/bin/bash' but I suppose like any audit rule, it could be a
caveat emptor sort of thing.
I'll modify that patch and resend it, but it doesn't help the current situation.
> But looking at the event, I'm not sure about the usefulness of logging
> successful opens in the pam config directory. You might be able to better tune
> your rules. Opening for write or opens that fail might be more interesting.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 17:12 ` Peter Moody
@ 2012-09-18 17:29 ` Steve Grubb
2012-09-18 17:31 ` Peter Moody
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2012-09-18 17:29 UTC (permalink / raw)
To: Peter Moody; +Cc: linux-audit@redhat.com
On Tuesday, September 18, 2012 10:12:53 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
> >> I'm trying to exclude cron events from audit logging. I can't see how can
> >> I do to only exclude this kind of entries:
> >>
> >> ----
> >> time->Mon Sep 17 11:00:01 2012
> >> type=PATH msg=audit(1347872401.521:5212): item=0
> >> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
> >> ogid=0 rdev=00:00
> >> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
> >> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
> >> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
> >> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
> >> key=(null)
> >> ----
> >>
> >> I didn't see any option to exclude events by 'exe' or 'comm' field.
> >>
> >> Any hints?
> >
> > There is the possibility to exclude events by SE Linux context. But I
> > don't see a SE Linux context in your event. So, without SE Linux being
> > enabled...there's not much you can do.
> >
> > There was a patch to audit by process name, which might address this
> > problem, but its not accepted yet.
>
> my patch only allows for positive match, not negative matching. I was
> afraid someone saying something like, '-a exit,always -S open -F
> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> caveat emptor sort of thing.
>
> I'll modify that patch and resend it, but it doesn't help the current
> situation.
I was thinking something like
-a exit,never -S open -F exe=/bin/bash
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 17:29 ` Steve Grubb
@ 2012-09-18 17:31 ` Peter Moody
2012-09-18 18:40 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: Peter Moody @ 2012-09-18 17:31 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> my patch only allows for positive match, not negative matching. I was
>> afraid someone saying something like, '-a exit,always -S open -F
>> exe!=/bin/bash' but I suppose like any audit rule, it could be a
>> caveat emptor sort of thing.
>>
>> I'll modify that patch and resend it, but it doesn't help the current
>> situation.
>
> I was thinking something like
> -a exit,never -S open -F exe=/bin/bash
Oh, that works too.
Do you think it's worth me fixing up the patch to allow !=?
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 17:31 ` Peter Moody
@ 2012-09-18 18:40 ` Steve Grubb
0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2012-09-18 18:40 UTC (permalink / raw)
To: Peter Moody; +Cc: linux-audit@redhat.com
On Tuesday, September 18, 2012 10:31:57 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >> my patch only allows for positive match, not negative matching. I was
> >> afraid someone saying something like, '-a exit,always -S open -F
> >> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> >> caveat emptor sort of thing.
> >>
> >> I'll modify that patch and resend it, but it doesn't help the current
> >> situation.
> >
> > I was thinking something like
> > -a exit,never -S open -F exe=/bin/bash
>
> Oh, that works too.
>
> Do you think it's worth me fixing up the patch to allow !=?
No. The path and dir fields do not allow it. These should all be consistent.
Thanks,
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Excluding events by command
2012-09-18 16:50 Excluding events by command Laura Martín
2012-09-18 16:59 ` Steve Grubb
@ 2012-09-18 17:29 ` Laura Martín
1 sibling, 0 replies; 7+ messages in thread
From: Laura Martín @ 2012-09-18 17:29 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1080 bytes --]
Hi!
Thanks in advance for the replies. I want to exclude all audit entries for
cron executions.
The line i've pasted here was an example.
Thanks!
Laura
El 18/09/2012 18:50, "Laura Martín" <hoshi.utsuku@gmail.com> escribió:
> Hi all,
>
> I'm trying to exclude cron events from audit logging. I can't see how can
> I do to only exclude this kind of entries:
>
>
> ----
> time->Mon Sep 17 11:00:01 2012
> type=PATH msg=audit(1347872401.521:5212): item=0
> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
> ogid=0 rdev=00:00
> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
> key=(null)
> ----
>
> I didn't see any option to exclude events by 'exe' or 'comm' field.
>
> Any hints?
>
> Thanks in advance, Laura
>
>
[-- Attachment #1.2: Type: text/html, Size: 1410 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-09-18 18:40 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-18 16:50 Excluding events by command Laura Martín
2012-09-18 16:59 ` Steve Grubb
2012-09-18 17:12 ` Peter Moody
2012-09-18 17:29 ` Steve Grubb
2012-09-18 17:31 ` Peter Moody
2012-09-18 18:40 ` Steve Grubb
2012-09-18 17:29 ` Laura Martín
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox