Re: Question about excluding rules
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
Thanks so much for your help! I've included your suggested filter
in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve