Re: Filtering out non-interactive users
On Sun, Jan 16, 2011 at 10:00:11AM -0500, Steve Grubb [sgrubb(a)redhat.com] wrote:
> > > Can someone point me to documentation/examples or help
me out with the
> > > proper syntax for setting up rules that will exclude the background
> > > processes? We are using auditd 1.7.4 now and the 'auid' filter
above no
> > > longer does the job.
> >
> > There's been a lot of bugs fixed since then. You might try building a
> > newer auditctl and trying it out to see if that makes a difference. Also
> > note that the event capturing is done by the kernel and the kernel
> > version would matter more than the auditd version.
>
> Unfortunately I'm in one of those situations where changing software
> versions will cause severe heartburn with management and customer types
> due to concerns about baseline stability, so I have to stick with what we
> have right now. The kernel is 2.6.33.1 with no extra patches, as far as I
> know.
That should work unless the is a 32 bit bug everyone has missed or you have another
rule preventing the logging. If you do cat /proc/self/loginuid, do you get a number >
0? Also, if you use auid!=4294967295, does that work?
The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the
filters, when I run 'auditctl -l' the rules are listed, but each one has
'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all
tagged with auid 4294967295. Is this proper or did I stumble upon a bug
after all?
I've managed a workaround for most of my systems; since we do not permit
direct root login to anything, using a filter of '-F uid!=0' manages to
filter out most of the background activity. However I do have a couple of
systems that only have a root user so this method does not work.
Thanks again!
Patrick