Steve, et.al. Here is a representative sample of audit.log entries recorded whenever cron periodically (every minute) queries for cron entries that need execution. " type=USER_ACCT msg=audit(1236084901.871:2382): user pid=20156 uid=0 auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=LOGIN msg=audit(1236084901.871:2383): login pid=20156 uid=0 old auid=4294967295 new auid=0 type=USER_START msg=audit(1236084901.871:2384): user pid=20156 uid=0 auid=0 msg='PAM session open: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=CRED_ACQ msg=audit(1236084901.871:2385): user pid=20156 uid=0 auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=CRED_DISP msg=audit(1236084902.141:2386): user pid=20156 uid=0 auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' type=USER_END msg=audit(1236084902.141:2387): user pid=20156 uid=0 auid=0 msg='PAM session close: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' " These events typically comprise at least 80% of all the audit.log entries although they are repetitive thoughout the log and do not indicate any user attempt to compromise the system.
Is there any relatively straight forward way that I can configure Auditd to not record events for crond routinely running as root? I am using audit-1.0.16-3.el4 on CentOS-4.7 Thanks! Tom Call, LMCO
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
