On Tuesday, September 18, 2012 10:12:53 AM Peter Moody wrote: > On Tue, Sep 18, 2012 at 9:59 AM, Steve Grubb <[email protected]> wrote: > > On Tuesday, September 18, 2012 06:50:08 PM Laura Martín wrote: > >> I'm trying to exclude cron events from audit logging. I can't see how can > >> I do to only exclude this kind of entries: > >> > >> ---- > >> time->Mon Sep 17 11:00:01 2012 > >> type=PATH msg=audit(1347872401.521:5212): item=0 > >> name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0 > >> ogid=0 rdev=00:00 > >> type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool" > >> type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2 > >> success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640 > >> pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > >> fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond" > >> key=(null) > >> ---- > >> > >> I didn't see any option to exclude events by 'exe' or 'comm' field. > >> > >> Any hints? > > > > There is the possibility to exclude events by SE Linux context. But I > > don't see a SE Linux context in your event. So, without SE Linux being > > enabled...there's not much you can do. > > > > There was a patch to audit by process name, which might address this > > problem, but its not accepted yet. > > my patch only allows for positive match, not negative matching. I was > afraid someone saying something like, '-a exit,always -S open -F > exe!=/bin/bash' but I suppose like any audit rule, it could be a > caveat emptor sort of thing. > > I'll modify that patch and resend it, but it doesn't help the current > situation.
I was thinking something like -a exit,never -S open -F exe=/bin/bash -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
