Filtering audit events

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: rshaw1@umbc.edu
To: linux-audit@redhat.com
Subject: Filtering audit events
Date: Mon, 31 Aug 2015 08:18:12 -0400	[thread overview]
Message-ID: <80528828ce7a24c2d9ed2e16b46f4fb6.squirrel@webmail.umbc.edu> (raw)

I'm trying to figure out a way to filter a large number of events similar
to the following:

time->Mon Aug 31 08:08:26 2015
type=PATH msg=audit(1441022906.019:52947542): item=1 name=(null) inode=133
dev=fd:06 mode=0100640 ouid=0 ogid=9002 rdev=00:00
obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
type=PATH msg=audit(1441022906.019:52947542): item=0
name="/var/log/simpana/Log_Files/locks/" inode=92 dev=fd:06 mode=040775
ouid=0 ogid=9002 rdev=00:00 obj=system_u:object_r:var_log_t:s0
nametype=PARENT
type=CWD msg=audit(1441022906.019:52947542):  cwd="/opt/simpana"
type=SYSCALL msg=audit(1441022906.019:52947542): arch=c000003e syscall=2
success=no exit=-13 a0=996d68 a1=42 a2=1b6 a3=0 items=2 ppid=11855
pid=15755 auid=7538 uid=0 gid=9002 euid=4990 suid=4990 fsuid=4990
egid=9002 sgid=9002 fsgid=9002 tty=(none) ses=125779 comm="clBackup"
exe="/opt/simpana/iDataAgent/clBackup" subj=system_u:system_r:initrc_t:s0
key="access"

The STIG-compliant audit ruleset we're using seems to generate a lot of
these, and I'm concerned that may be affecting the performance of the app
in question (also, I consider it log spam).  I tried the following rule
(plus a few variations like ogid), but it doesn't seem to be working:

-a exit,never -F gid=9002 -k exclude

What would be the best way to approach this?  I have a few other apps with
similar issues.

Thanks,

--Ray

next             reply	other threads:[~2015-08-31 12:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-31 12:18 rshaw1 [this message]
2015-08-31 13:22 ` Filtering audit events Steven Grubb
2015-08-31 13:58   ` rshaw1
2015-09-02 23:31     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=80528828ce7a24c2d9ed2e16b46f4fb6.squirrel@webmail.umbc.edu \
    --to=rshaw1@umbc.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox