>From the little knowledge that I have - For excluding 'cwd' type messages, try this at the beginning of rule file: -a exclude,always -F msgtype=CWD
For other messages, try 'exit=4294967294' in rules. Not sure if this will solve it, but worth a try. On Thu, Sep 29, 2011 at 8:01 PM, Worsham, Michael <[email protected]> wrote: > Does anyone have an idea on how to suppress (exclude) these entries from > showing up in the audit.log on a RHEL platform? I have tried the following > to no success: > > > > type=CWD msg=audit(1316431049.130:131982948): cwd="/" > > type=PATH msg=audit(1316431049.130:131982948): item=0 > name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/x86_64/libc.so.6" > > type=SYSCALL msg=audit(1316431049.130:131982949): arch=c000003e syscall=2 > success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 > items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" > subj=system_u:system_r:initrc_t:s0 key=(null) > > type=CWD msg=audit(1316431049.130:131982949): cwd="/" > > type=PATH msg=audit(1316431049.130:131982949): item=0 > name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/libc.so.6" > > type=SYSCALL msg=audit(1316431049.130:131982950): arch=c000003e syscall=2 > success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 > items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" > subj=system_u:system_r:initrc_t:s0 key=(null) > > type=CWD msg=audit(1316431049.130:131982950): cwd="/" > > type=PATH msg=audit(1316431049.130:131982950): item=0 > name="/usr/lib/vmware-tools/lib64/libdnet.so.1/x86_64/libc.so.6" > > type=SYSCALL msg=audit(1316431049.130:131982951): arch=c000003e syscall=2 > success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 > items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > Packages installed: > > redhat-release-5Server-5.7.0.3 > audit-1.7.18-2.el5 > selinux-policy-targeted-2.4.6-316.el5 > > > > Current rules: > > ## Suppress all VMware Tools system calls > > -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools > -F subj_type=initrc_t -F exit=-ENOENT > > -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools > -F subj_type=initrc_t -F exit=-ENOENT > > -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools > -F subj_type=initrc_t -F exit=-2 > > -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools > -F subj_type=initrc_t -F exit=-2 > > > > ________________________________ > CONFIDENTIALITY NOTICE: This email and any attachments are intended solely > for the use of the named recipient(s). This email may contain confidential > and/or proprietary information of Scientific Research Corporation. If you > are not a named recipient, you are prohibited from reviewing, copying, > using, disclosing or distributing to others the information in this email > and attachments. If you believe you have received this email in error, > please notify the sender immediately and permanently delete the email, any > attachments, and all copies thereof from any drives or storage media and > destroy any printouts of the email or attachments. > > EXPORT COMPLIANCE NOTICE: This email and any attachments may contain > technical data subject to U.S export restrictions under the International > Traffic in Arms Regulations (ITAR) or the Export Administration Regulations > (EAR). Export or transfer of this technical data and/or related information > to any foreign person(s) or entity(ies), either within the U.S. or outside > of the U.S., may require advance export authorization by the appropriate > U.S. Government agency prior to export or transfer. In addition, technical > data may not be exported or transferred to certain countries or specified > designated nationals identified by U.S. embargo controls without prior > export authorization. By accepting this email and any attachments, all > recipients confirm that they understand and will comply with all applicable > ITAR, EAR and embargo compliance requirements. > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- -Rathor -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
