Excluding the single executable on the top of audit.rules
Hello all,
I would like to ask for an explanation about making my audit.rules proper. What am I
trying to do is to exclude all the syscall events coming from
exe="/usr/bin/pulseaudio" and its components. At the moment about 95% of audit
log is filled with messages related to pulseaudio:
# aureport -x -if my.log --summary
Executable Summary Report
=================================
total file
=================================
1156923 /usr/bin/pulseaudio
191719 /usr/libexec/pulse/gconf-helper
49282 /usr/bin/gnome-volume-control-applet
8035 /usr/libexec/gnome-settings-daemon
1045 /usr/sbin/crond
265 /usr/bin/nautilus
23 /usr/sbin/sshd
Please look through the current version of audit.rules. How should I modify them?
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
#-a exit,never -F exe=/usr/bin/pulseaudio -S open
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S open
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S execve
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S fork
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S vfork
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S exit
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S exit_group
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S getdents
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S chmod
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S fchmod
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S fchmodat
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S chown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S fchown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S lchown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S fchownat
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S unlink
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729
-S unlinkat
P.S. We're using RHEL 6.4 with audit-2.2-2.el6.x86_64.
Sincerely,
Vitaly Isaev
Software engineer
Information security department
Fintech JSC, Moscow, Russia
Attachments:
- attachment.html (text/html — 10.6 KB)