From mboxrd@z Thu Jan  1 00:00:00 1970
From: rshaw1@umbc.edu
Subject: Filtering audit events
Date: Mon, 31 Aug 2015 08:18:12 -0400
Message-ID: <80528828ce7a24c2d9ed2e16b46f4fb6.squirrel@webmail.umbc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.29])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t7VCIEj3016612
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 08:18:14 -0400
Received: from mx3.umbc.edu (mx3.umbc.edu [130.85.25.78])
	by mx1.redhat.com (Postfix) with ESMTPS id A2068341AEE
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 12:18:13 +0000 (UTC)
Received: from smtp.umbc.edu (localhost [127.0.0.1])
	by umbc.edu (mx3.umbc.edu) with ESMTP id t7VCICWB028680
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 08:18:12 -0400 (EDT)
Received: from webmail.umbc.edu (webmail2.umbc.edu [130.85.24.67])
	by smtp.umbc.edu (mx3-relay.umbc.edu) with ESMTP id t7VCIC1l028677
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 08:18:12 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I'm trying to figure out a way to filter a large number of events similar
to the following:

time->Mon Aug 31 08:08:26 2015
type=PATH msg=audit(1441022906.019:52947542): item=1 name=(null) inode=133
dev=fd:06 mode=0100640 ouid=0 ogid=9002 rdev=00:00
obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
type=PATH msg=audit(1441022906.019:52947542): item=0
name="/var/log/simpana/Log_Files/locks/" inode=92 dev=fd:06 mode=040775
ouid=0 ogid=9002 rdev=00:00 obj=system_u:object_r:var_log_t:s0
nametype=PARENT
type=CWD msg=audit(1441022906.019:52947542):  cwd="/opt/simpana"
type=SYSCALL msg=audit(1441022906.019:52947542): arch=c000003e syscall=2
success=no exit=-13 a0=996d68 a1=42 a2=1b6 a3=0 items=2 ppid=11855
pid=15755 auid=7538 uid=0 gid=9002 euid=4990 suid=4990 fsuid=4990
egid=9002 sgid=9002 fsgid=9002 tty=(none) ses=125779 comm="clBackup"
exe="/opt/simpana/iDataAgent/clBackup" subj=system_u:system_r:initrc_t:s0
key="access"

The STIG-compliant audit ruleset we're using seems to generate a lot of
these, and I'm concerned that may be affecting the performance of the app
in question (also, I consider it log spam).  I tried the following rule
(plus a few variations like ogid), but it doesn't seem to be working:

-a exit,never -F gid=9002 -k exclude

What would be the best way to approach this?  I have a few other apps with
similar issues.

Thanks,

--Ray