On Monday 19 October 2009 11:02:33 am Rich Whitcroft wrote: > Here's my current rule, which is working, but is producing a lot of > extra log that I'd like to suppress: > > -a entry,always -S execve -F euid=0
I assume the intention is to log all programs executed when someone is running as root? > I'm wondering if there's a way to limit this to only audit events that > happen from a real tty, e.g. a human user. -a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295 The loginuid is only set for real logins. But if they issue "service httpd restart", then apache has their loginuid, too, and you will start getting apache events. > I'm getting lots of extraneous chatter from sshd, automount, and cron, all > of which are from tty=(none), but I'm not sure it's possible to filter on > tty... The way that we suggest auditing the actions of a root user is by using the tty audit capability. This is a little more specific about what is really happening. For example, someone could start a python shell and start issuing commands. If you audit by execve, then all you see is python start up and then you see nothing else. Also, bash can do networking. Its possible to transfer files using bash primitives that you won't pick up by auditing execve syscalls. Awk is also network aware... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
