Strategies I would try are: 1) have the script add a rule via auditctl that excludes the correct pid or parent pid from logging.
2) create a special user for this task and exlude their uid in the rule. 3) copy /usr/bin/top to /usr/bin/topAsUserMonitor and set it to run setuid to some user 'monitor' (who is locked down with a default shell of /bin/nologin and then use strategy 2 excluding uid monitor) then call topAsUserMonitor instead of regular top from your script. So your rule would look something like this: -a exit,always -S open -F exit=-13 -F ppid!=<pid of script> - or - -a exit,always -S open -F exit=-13 -F uid!=monitor hth, Keith On Mon, Sep 08, 2008 at 09:10:34AM -0400, Sincox, Anthony P wrote: > I'm still looking for suggestions. > > Thanks, > > Tony > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sincox, > Anthony P > Sent: Tuesday, August 26, 2008 12:27 PM > To: [email protected] > Subject: Exclusion of Linux "top" command in Audit Rules > > Looking for some assistance. > > I am trying to keep from logging activity of a Linux command we keep running > in the foreground to monitor the progress of a scripting task. We monitor the > progress of this task using the Linux "top" command. > > I'm trying to figure out how to use the "exclude" filter in the audit rules > to exclude logging of this "top" command. I am running on the Fedora 7 O/S. I > am also utilizing the nispom.rules for the audit daemon. > > The logging I'm receiving is similar to this: > > type=SYSCALL msg=audit(1219770680.762:206): arch=40000003 syscall=5 > success=no exit=-13 a0=92df4b a1=8002 a2=bf82f338 a3=92df51 items=1 ppid=8076 > pid=8208 auid=500 uid=500 gid=510 euid=500 suid=500 fsuid=500 egid=510 > sgid=510 fsgid=510 tty=pts2 comm="top" exe="/usr/bin/top" key="open" > type=CWD msg=audit(1219770680.762:206): cwd="/usr/local/people/tony" > type=PATH msg=audit(1219770680.762:206): item=0 name="/var/run/utmp" > inode=2074631 dev=08:02 mode=0100664 ouid=0 ogid=22 rdev=00:00 > > This is the type of logging I'm trying to exclude. Any ideas would be helpful. > > Thanks, > > Tony Sincox > > > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- | | . | | | . | | | . ' ' C I S C O GGSG VoIP -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
