3:24 p.m.
Hello,
I would like to filter out audit log entries that are created from the
default cron.daily, hourly etc. However, I would like to still be
able to view cron jobs that are run by users.
Is there a way to run an auditctl command that will do both of the
above?
Thanks in advance.
Starr-Renee Corbin
Applied Research Lab
The University of Texas at Austin
512-835-3628
4:22 p.m.
On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote:
Is there a way to run an auditctl command that will do both of the
above?
Not at this point. If the user filter in the kernel allowed type to be used,
you might stand a chance. But then there is no way to filter on cron being
the source in the kernel.
User space originating audit events are sent as a string to the kernel. The
kernel does not parse strings and won't match against it.
-Steve
4:40 p.m.
On Wed, 2009-01-07 at 17:22 -0500, Steve Grubb wrote:
On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote:
> Is there a way to run an auditctl command that will do both of the
> above?
Not at this point. If the user filter in the kernel allowed type to be used,
you might stand a chance. But then there is no way to filter on cron being
the source in the kernel.
User space originating audit events are sent as a string to the kernel. The
kernel does not parse strings and won't match against it.
-Steve
in man auditctl you talk about the "exclude" list. Do you know if this
maps to list number 0x05 ? Anyway, assuming so, I don't see a reason
right off hand we couldn't pass the userspace audit messages through the
exclude filter list (In kernel it's called the "type" filter list.
-Eric
4:52 p.m.
On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote:
in man auditctl you talk about the "exclude" list.
Yes, I thought about that, too. This is what you have to work with:
type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0
ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
This part is a string and cannot be matched against:
msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond"
(hostname=?,
addr=?, terminal=cron res=success)'
If the type filter allows matching by selinux context, then you might be able
to say:
-a always,exclude -F msgtype=USER_START -F auid=0 -F subj_type=crond_t
-Steve
4:59 p.m.
On Wed, 2009-01-07 at 17:52 -0500, Steve Grubb wrote:
On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote:
> in man auditctl you talk about the "exclude" list.
Yes, I thought about that, too. This is what you have to work with:
type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0
ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
This part is a string and cannot be matched against:
msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond"
(hostname=?,
addr=?, terminal=cron res=success)'
If the type filter allows matching by selinux context, then you might be able
to say:
of course not, it allows matching only on type.
I can push type matching down into the user filter though (that was my
original thought)
I'll try to remember to poke it tomorrow.....
-Eric
5836
days inactive
5836
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
Eric Paris -
Starr-Renee Corbin -
Steve Grubb