Hello, I've recently been working on a number of systems that need to fulfill auditing requirements for things such as "failed program executions," "failed file/directory deletions" and such, and we have been attempting to use auditd to fulfill these requirements. However we've been having difficulty filtering out the 'noise' from non-interactive processes since our requirements only need us to capture these events for real human users.
In older versions of the audit code, we used the following type of system call auditing rule which seemed to work pretty well: -a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F success=0 -F auid!=-1 Filtering on an 'auid!=-1' seemed to do a very good job of stripping out system calls from daemon processes and such. However at some point I guess this was changed because we no longer seem to be able to capture any system calls at all when we have this filter defined on a rule. Can someone point me to documentation/examples or help me out with the proper syntax for setting up rules that will exclude the background processes? We are using auditd 1.7.4 now and the 'auid' filter above no longer does the job. Any help would be very much appreciated! Thanks. Patrick -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
