Hello Steve,

Thanks so much for your help, I've modified audit.rules as per you recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768

# Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact

# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1 (0xffffffff) key=rootact syscall=execve

With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.

Kind regards,
Moshe


Moshe Rechtman

Technical Support Engineer

Red Hat Israel

34 Jerusalem rd. Ra'anana, 43501

mrechtma@redhat.com   T: +972-9-7692289 
M: +972-54-4971516   F: +972-9-7692223    



On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb@redhat.com> wrote:
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
>       1 # This file contains the auditctl rules that are loaded
>       2 # whenever the audit daemon is started via the initscripts.
>       3 # The rules are simply the parameters that would be passed
>       4 # to auditctl.
>       5 # First rule - delete all
>       6 -D
>       7 # Increase the buffers to survive stress events.
>       8 # Make this bigger for busy systems
>       9 -b 320
>      10 ### Feel free to add below this line. See auditctl man page
>      11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
>      12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
>      13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
>      14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>      15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
>      16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact

It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.

> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd:                                           [  OK  ]
> Starting auditd:                                           [  OK  ]
> Unknown user: unset
> -F unknown field: auid

OK. I guess this is really old. Then make it auid=-1

-Steve