Re: Excluding events by command

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Excluding events by command
Date: Tue, 18 Sep 2012 12:59:31 -0400	[thread overview]
Message-ID: <6331664.9tKZqKR1nW@x2> (raw)
In-Reply-To: <CAJA1D03WHEs45zR86TRZn3W5YH3fCsQfBu6EA+JtL129X7jX2w@mail.gmail.com>

On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote:
> Hi all,
> 
> I'm trying to exclude cron events from audit logging. I can't see how can I
> do to only exclude this kind of entries:
> 
> 
> ----
> time->Mon Sep 17 11:00:01 2012
> type=PATH msg=audit(1347872401.521:5212): item=0
> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
> ogid=0 rdev=00:00
> type=CWD msg=audit(1347872401.521:5212):  cwd="/var/spool"
> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
> key=(null)
> ----
> 
> I didn't see any option to exclude events by 'exe' or 'comm' field.
> 
> Any hints?

There is the possibility to exclude events by SE Linux context. But I don't 
see a SE Linux context in your event. So, without SE Linux being 
enabled...there's not much you can do.

There was a patch to audit by process name, which might address this problem, 
but its not accepted yet.

But looking at the event, I'm not sure about the usefulness of logging 
successful opens in the pam config directory. You might be able to better tune 
your rules. Opening for write or opens that fail might be more interesting.

-Steve

next prev parent reply	other threads:[~2012-09-18 16:59 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-18 16:50 Excluding events by command Laura Martín
2012-09-18 16:59 ` Steve Grubb [this message]
2012-09-18 17:12   ` Peter Moody
2012-09-18 17:29     ` Steve Grubb
2012-09-18 17:31       ` Peter Moody
2012-09-18 18:40         ` Steve Grubb
2012-09-18 17:29 ` Laura Martín

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6331664.9tKZqKR1nW@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox