From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Excluding events by command Date: Tue, 18 Sep 2012 12:59:31 -0400 Message-ID: <6331664.9tKZqKR1nW@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, September 18, 2012 06:50:08 PM Laura Mart=EDn wrote: > Hi all, > = > I'm trying to exclude cron events from audit logging. I can't see how can= I > do to only exclude this kind of entries: > = > = > ---- > time->Mon Sep 17 11:00:01 2012 > type=3DPATH msg=3Daudit(1347872401.521:5212): item=3D0 > name=3D"/etc/pam.d/system-auth" inode=3D33635 dev=3Dfd:00 mode=3D0100644 = ouid=3D0 > ogid=3D0 rdev=3D00:00 > type=3DCWD msg=3Daudit(1347872401.521:5212): cwd=3D"/var/spool" > type=3DSYSCALL msg=3Daudit(1347872401.521:5212): arch=3Dc000003e syscall= =3D2 > success=3Dyes exit=3D5 a0=3D2b5b7b627300 a1=3D0 a2=3D1b6 a3=3D0 items=3D1= ppid=3D11640 > pid=3D1965 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 = egid=3D0 sgid=3D0 > fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D"crond" exe=3D"/usr/sbin/c= rond" > key=3D(null) > ---- > = > I didn't see any option to exclude events by 'exe' or 'comm' field. > = > Any hints? There is the possibility to exclude events by SE Linux context. But I don't = see a SE Linux context in your event. So, without SE Linux being = enabled...there's not much you can do. There was a patch to audit by process name, which might address this proble= m, = but its not accepted yet. But looking at the event, I'm not sure about the usefulness of logging = successful opens in the pam config directory. You might be able to better t= une = your rules. Opening for write or opens that fail might be more interesting. -Steve