Suppress or exclude messages from /var/log/audit.log via audit.rules
by [Cloud ASIA] Toshihiro Takehara
Hi
My name is Takehara liveng in japan.
Now I set up audit.rules, then audit.log became very big.
The reason why is keepalived daemon and it's misc check shell adds some
entry every seconds.
I want to suppress or exclude log entry, and I searched the way like this.
=> https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
but I could not get effective answer.
Could you please tell me someone an effective way?
This is the audit.rules below.
# First rule - delete all
> -D
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> # Feel free to add below this line. See auditctl man page
> -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> -a exit,always -F arch=b64 -S open -F uid=10
> -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> -w /etc/sudoers -p wa -k sudoers-change
> -w /etc/ -p wa
> -w /var/lib/mysql -p wa
- keepalived is checking every seconds.
/usr/sbin/keepalived
- misc check program
/root/mysql_status_check.sh
type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)
type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
=========================
Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]
Founder & CEO Takehara Toshihiro
〒174-0073
33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan
TEL: +81-3-6869-2994 FAX: +81-3-6869-3974
Mobile: +81-90-4737-8137
Mobile in Laos: +856-20-5912-2188
http://www.cloud-asia.co.jp
http://www.facebook.com/cloud.asia.japan
takehara(a)cloud-asia.co.jp
Lao Systems [ ラオシステムズ ]
Founder & CEO Takehara Toshihiro
http://lao-systems.jp/
=========================
9 years, 8 months
- 2
- 3
[PATCH] audit.h: remove the macro AUDIT_ARCH_ARMEB definition
by roy.qing.li@gmail.com
From: Li RongQing <roy.qing.li(a)gmail.com>
After 2f9783669 [ARM: 7412/1: audit: use only AUDIT_ARCH_ARM regardless
of endianness], no kernel user uses this macro;
Keeping this macro, only makes the compiling old version audit [before
changeset 931 Improve ARM and AARCH64 support] success, but the audit
program can not work with the kernel after 2f9783669 still,
since no syscall entry is enabled for AUDIT_ARCH_ARMEB in kernel.
so remove it to force to use the latest audit program
Signed-off-by: Li RongQing <roy.qing.li(a)gmail.com>
---
other workaround is to define AUDIT_ARCH_ARMEB as AUDIT_ARCH_ARM,
but it seems very strange
include/uapi/linux/audit.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d3475e1..125aa49 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -351,7 +351,6 @@ enum {
#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
-#define AUDIT_ARCH_ARMEB (EM_ARM)
#define AUDIT_ARCH_CRIS (EM_CRIS|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_FRV (EM_FRV)
#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
--
2.1.0
9 years, 8 months
- 4
- 8