I&#39;m looking for a way to silence frequent messages attributed to crond in my audit.log files.<br><br>Here is a snippet of the messages i would like to filter:<br><br>type=<b>USER_ACCT</b> msg=audit(10/20/2009 16:10:01.608:10196) : user pid=30783 uid=root auid=unset msg=&#39;PAM: accounting acct=root : exe=<b>/usr/sbin/crond </b>(hostname=?, addr=?, terminal=cron res=success)&#39; <br>



type=<b>CRED_ACQ</b> msg=audit(10/20/2009 16:10:01.608:10197) : user pid=30783 uid=root auid=unset msg=&#39;PAM: setcred acct=root : exe=<b>/usr/sbin/crond</b> (hostname=?, addr=?, terminal=cron res=success)&#39; <br>type=<b>USER_START</b> msg=audit(10/20/2009 16:10:01.612:10199) : user pid=30783 uid=root auid=root msg=&#39;PAM: session open acct=root : exe=<b>/usr/sbin/crond</b> (hostname=?, addr=?, terminal=cron res=success)&#39; <br>



type=<b>CRED_DISP</b> msg=audit(10/20/2009 16:10:01.656:10200) : user pid=30783 uid=root auid=root msg=&#39;PAM: setcred acct=root : exe=<b>/usr/sbin/crond</b> (hostname=?, addr=?, terminal=cron res=success)&#39; <br>type=<b>USER_END</b> msg=audit(10/20/2009 16:10:01.656:10201) : user pid=30783 uid=root auid=root msg=&#39;PAM: session close acct=root : exe=<b>/usr/sbin/crond</b> (hostname=?, addr=?, terminal=cron res=success)&#39; <br>



<br>I literally get tens-of-thousands of these a day in my consolidated
audit.log (via audisp-remote).  All five of these events get dumped
to the audit log every time crond is executed.<br><br>The reasoning
behind this is that some of my customers are under regulations that
dictate security logs such as these are responded to and classified
within a certain time frame.  This is obviously a problem due to the
frequency of these messages.<br>
<br>I&#39;ve looked over every associated PAM module and corresponding
options with no luck.  I also picked through as many auditd man pages i
could find.<br><br>The only thing i was able to dig up was the ability to &#39;exclude&#39; certain message types with an audit rule.  <br>
<br>For example, I could exclude all USER_ACCT, CRED_ACQ, USER_START,
CRED_DISP, and USER_END message types, however, that would weaken the
overall security posture as some critical messages would get filtered.<br><br>Any help would be greatly appreciated.<br><br>Thanks!<br>-Nick