On Sun, Jan 16, 2011 at 10:00:11AM -0500, Steve Grubb [[email protected]] wrote: > > > > Can someone point me to documentation/examples or help me out with the > > > > proper syntax for setting up rules that will exclude the background > > > > processes? We are using auditd 1.7.4 now and the 'auid' filter above no > > > > longer does the job. > > > > > > There's been a lot of bugs fixed since then. You might try building a > > > newer auditctl and trying it out to see if that makes a difference. Also > > > note that the event capturing is done by the kernel and the kernel > > > version would matter more than the auditd version. > > > > Unfortunately I'm in one of those situations where changing software > > versions will cause severe heartburn with management and customer types > > due to concerns about baseline stability, so I have to stick with what we > > have right now. The kernel is 2.6.33.1 with no extra patches, as far as I > > know. > > That should work unless the is a 32 bit bug everyone has missed or you have > another > rule preventing the logging. If you do cat /proc/self/loginuid, do you get a > number > > 0? Also, if you use auid!=4294967295, does that work?
The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the filters, when I run 'auditctl -l' the rules are listed, but each one has 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all tagged with auid 4294967295. Is this proper or did I stumble upon a bug after all? I've managed a workaround for most of my systems; since we do not permit direct root login to anything, using a filter of '-F uid!=0' manages to filter out most of the background activity. However I do have a couple of systems that only have a root user so this method does not work. Thanks again! Patrick -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
