Re: Question about excluding rules

Hello Experts, We have a big customer that facing the following issue on RHEL 6.2. As per customer request I've configured the following rules: $ cat audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract Audit start working as expected. Now customer is asking to exclude/ignore the following from audit logs: type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" key="rootact" type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" a2=2F62696E2F70732061757877777777 type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" key="rootact" type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL What would be the best way to exclude such audit? Your help would be much appreciated.