I'm looking for a way to silence frequent messages attributed to crond in my
audit.log files.
Here is a snippet of the messages i would like to filter:
type=*USER_ACCT* msg=audit(10/20/2009 16:10:01.608:10196) : user pid=30783
uid=root auid=unset msg='PAM: accounting acct=root :
exe=*/usr/sbin/crond *(hostname=?,
addr=?, terminal=cron res=success)'
type=*CRED_ACQ* msg=audit(10/20/2009 16:10:01.608:10197) : user pid=30783
uid=root auid=unset msg='PAM: setcred acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*USER_START* msg=audit(10/20/2009 16:10:01.612:10199) : user pid=30783
uid=root auid=root msg='PAM: session open acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*CRED_DISP* msg=audit(10/20/2009 16:10:01.656:10200) : user pid=30783
uid=root auid=root msg='PAM: setcred acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*USER_END* msg=audit(10/20/2009 16:10:01.656:10201) : user pid=30783
uid=root auid=root msg='PAM: session close acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
I literally get tens-of-thousands of these a day in my consolidated
audit.log (via audisp-remote). All five of these events get dumped to the
audit log every time crond is executed.
The reasoning behind this is that some of my customers are under regulations
that dictate security logs such as these are responded to and classified
within a certain time frame. This is obviously a problem due to the
frequency of these messages.
I've looked over every associated PAM module and corresponding options with
no luck. I also picked through as many auditd man pages i could find.
The only thing i was able to dig up was the ability to 'exclude' certain
message types with an audit rule.
For example, I could exclude all USER_ACCT, CRED_ACQ, USER_START, CRED_DISP,
and USER_END message types, however, that would weaken the overall security
posture as some critical messages would get filtered.
Any help would be greatly appreciated.
Thanks!
-Nick
Show replies by date
On Monday 02 November 2009 11:54:38 am Nicholas Nachefski wrote:
I'm looking for a way to silence frequent messages attributed to
crond in
my audit.log files.
This has come up in the past and we don't have a good solution. I've spoke
with one of the upstream pam maintainers about this and they are thinking
about it. We have also kicked around adding filtering based on selinux context
info which could possibly solve your problem.
-Steve