From: rshaw1@umbc.edu
To: linux-audit@redhat.com
Subject: Re: Filtering audit events
Date: Mon, 31 Aug 2015 09:58:42 -0400 [thread overview]
Message-ID: <84a967ab2e861435cc1d0c3553aef15f.squirrel@webmail.umbc.edu> (raw)
In-Reply-To: <1315756444.19796884.1441027336015.JavaMail.zimbra@redhat.com>
> If you use the -i argument to ausearch, it becomes more clear what the
> issue is. The problem is that the program is opening the file for read and
> write, but the permissions are just for group read. If that file were
> 0660, then you would not get this audit event.
Hrm. The process is running as the root user, though. It's going over
the whole filesystem (for backups).
>>The STIG-compliant audit ruleset we're using seems to generate a lot of
>>these, and I'm concerned that may be affecting the performance of the app
>>in question (also, I consider it log spam). I tried the following rule
>>(plus a few variations like ogid), but it doesn't seem to be working:
>>
>>-a exit,never -F gid=9002 -k exclude
>
> This should work as long as its before the open rule. Rules are processed
> from top to bottom with first match winning.
>
>>What would be the best way to approach this?
It's pretty much at the top, well before the open rule. There are only
two other exclude rules before it, and the general settings:
-D
-b 8192
-f 1
This is on RHEL6, if that matters.
--Ray
next prev parent reply other threads:[~2015-08-31 13:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-31 12:18 Filtering audit events rshaw1
2015-08-31 13:22 ` Steven Grubb
2015-08-31 13:58 ` rshaw1 [this message]
2015-09-02 23:31 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84a967ab2e861435cc1d0c3553aef15f.squirrel@webmail.umbc.edu \
--to=rshaw1@umbc.edu \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox