Hi Steve,
Yes, you are correct. We login as User 500 and switch user to oracle and issue the command.
The User 345 is oracle user. Which is used for oracle related activities in the system.
The command which we issue is srvctl stop/start database. We always install oracle and start manually for the first time.
As you mentioned, on reboot the system, it not generating too many logs. But the problem is, we cannot reboot the system every time, which only requires DB restart. Because application also be hosted in the same system.
The Srvctl command internally starts the ohasd.bin.
So can we avoid it, I mean do we have an option to exclude the ohasd.bin by using something like "-F exe!=ohasd.bin " or "-F path!= ...." . I tried both, it is not working.
Because "-F UID!=345" will restrict all the logs. Can we restrict the log which is generated by that particular process/application. ?
Thanks
Tilden
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Tuesday, November 18, 2014 8:56 PM
To: Tilden Doran D
Cc: linux-audit@redhat.com
Subject: Re: Excluding few executable from audit.rules in redhat6.5
On Tuesday, November 18, 2014 10:22:55 AM Tilden Doran D wrote:
> Hi
>
> auditctl -A exit,never -F arch=b32 -S chmod -F uid=345 auditctl -A
> exit,never -F arch=b64 -S chmod -F uid=345
>
> we would require a permanent fix. If UID=345 is used, I believe
> that all auditing functionality will not work for user ID=345,
Because the events shown are not translated, I can't tell what account 345 is.
I am assuming by its low number that its a system account. The rule above drops all auditing of chmod syscalls for the 345 user account.
> I mean if the userId(345) is logging in manually to the system and does some
> operation that will also be exclude.
Again, I can onlt speculate what that account is. If its a daemon, then it
should have auid=-1 and the system works fine. Because the auid is 500, that
tells me that user 500 started it. Because uid!=auid, I assume its either
setuid or user 500 changed to root and then issued, "service ohasd restart".
Its one or the other.
If user 500 changed to root and restarted the daemon, then a reboot will fix
everything and a permanent solution is not needed. Or you can put the rule in
depending on how often this happens. But if this is for more than one system,
then I'd use the 345 user's name so that auditctl looks it up in case its
different on each machine. reserved accounts are generally under 200.
> We want User inventions logs messages to be
> captured but exclude the System generated logs.
The rules you gave have this in them:
-F auid>=500 -F auid!=4294967295
This is to exclude daemons because they have auid of -1 (unless restarted by
hand).
> To be more detail.
>
> Ohasd.bin process is started by the user( while starting the database
> process) we want to captured this log.
The database is not started by the system on boot? Is this a system daemon or
a user session daemon?
> But after that the ohasd.bin process
> is running in background and it does lot of read write operations, we don't
> want those logs.
>
> Can you please let us know the way forward.
I am not familiar with that program, so I still need some answers to help you
figure out the right way to get rid of the events.
-Steve