Hello all,

 

I would like to ask for an explanation about making my audit.rules proper. What am I trying to do is to exclude all the syscall events coming from exe=“/usr/bin/pulseaudio” and its components. At the moment about 95% of audit log is filled with messages related to pulseaudio:

 

# aureport -x -if my.log --summary

Executable Summary Report

=================================

total  file

=================================

1156923  /usr/bin/pulseaudio

191719  /usr/libexec/pulse/gconf-helper

49282  /usr/bin/gnome-volume-control-applet

8035  /usr/libexec/gnome-settings-daemon

1045  /usr/sbin/crond

265  /usr/bin/nautilus

23  /usr/sbin/sshd

 

Please look through the current version of audit.rules. How should I modify them?

 

# First rule - delete all

-D

 

# Increase the buffers to survive stress events.

# Make this bigger for busy systems

-b 320

 

# Feel free to add below this line. See auditctl man page

#-a exit,never -F exe=/usr/bin/pulseaudio -S open

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S open

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S execve

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fork

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S vfork

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S exit

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S exit_group

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S getdents

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S chmod

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmod

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmodat

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S chown

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchown

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S lchown

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchownat

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlink

-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlinkat

 

P.S. We’re using RHEL 6.4 with audit-2.2-2.el6.x86_64.

 

Sincerely,

Vitaly Isaev

Software engineer

Information security department

Fintech JSC, Moscow, Russia