Steve, et.al.

 Here is a representative sample of audit.log entries recorded whenever cron periodically (every minute) queries for cron entries that need execution.

“

type=USER_ACCT msg=audit(1236084901.871:2382): user pid=20156 uid=0 auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

type=LOGIN msg=audit(1236084901.871:2383): login pid=20156 uid=0 old auid=4294967295 new auid=0

type=USER_START msg=audit(1236084901.871:2384): user pid=20156 uid=0 auid=0 msg='PAM session open: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

type=CRED_ACQ msg=audit(1236084901.871:2385): user pid=20156 uid=0 auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

type=CRED_DISP msg=audit(1236084902.141:2386): user pid=20156 uid=0 auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

type=USER_END msg=audit(1236084902.141:2387): user pid=20156 uid=0 auid=0 msg='PAM session close: user="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

“

 These events typically comprise at least 80% of all the audit.log entries although they are repetitive thoughout the log and do not indicate any user attempt to compromise the system.

 Is there any relatively straight forward way that I can configure Auditd to not record events for crond routinely running as root?

 I am using audit-1.0.16-3.el4 on CentOS-4.7

Thanks!

Tom Call, LMCO