Re: Excluding events by command
On Tuesday, September 18, 2012 06:50:08 PM Laura MartÃn wrote:
Hi all,
I'm trying to exclude cron events from audit logging. I can't see how can I
do to only exclude this kind of entries:
----
time->Mon Sep 17 11:00:01 2012
type=PATH msg=audit(1347872401.521:5212): item=0
name="/etc/pam.d/system-auth" inode=33635 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00
type=CWD msg=audit(1347872401.521:5212): cwd="/var/spool"
type=SYSCALL msg=audit(1347872401.521:5212): arch=c000003e syscall=2
success=yes exit=5 a0=2b5b7b627300 a1=0 a2=1b6 a3=0 items=1 ppid=11640
pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="crond" exe="/usr/sbin/crond"
key=(null)
----
I didn't see any option to exclude events by 'exe' or 'comm' field.
Any hints?
There is the possibility to exclude events by SE Linux context. But I don't
see a SE Linux context in your event. So, without SE Linux being
enabled...there's not much you can do.
There was a patch to audit by process name, which might address this problem,
but its not accepted yet.
But looking at the event, I'm not sure about the usefulness of logging
successful opens in the pam config directory. You might be able to better tune
your rules. Opening for write or opens that fail might be more interesting.
-Steve