Re: Excluding audit for BIND daemon

Hello, On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote: If you wanted just people and not daemons, then I would suggest changing the rule to this: -a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action However, that is likely to trigger way more events than you need. Because this will trigger on every single syscall and slow down the system. What you would normally want to know is which commands were run as root. A rule for that would look like this: -a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action -a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action Another approach would be to enable keystroke logging. This would involve adding pam_audit_tty to the su and sudo pam configs. Use the default setting shown in the pam man page. If you do this, then don't have the root_action rule because you'll get double information. And last bit of advice...there are pre-written rules that you can install. On Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules file that explains how to use them. -Steve