On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > Hello Experts, > > We have a big customer that facing the following issue on RHEL 6.2. > As per customer request I've configured the following rules: > > $ cat audit.rules > > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Increase the buffers to survive stress events. > # Make this bigger for busy systems > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > Audit start working as expected. Now customer is asking to exclude/ignore > the following from audit logs: > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > key="rootact" > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > a2=2F62696E2F70732061757877777777 > type=CWD msg=audit(1581664357.597:257516): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > exe="/bin/ps" key="rootact" > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > What would be the best way to exclude such audit? > Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says they think they wanted it. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
