PDA

View Full Version : SLES 11 SP4 linux audit framework LAF auditctl filter on COMM help



ron7000
10-Dec-2015, 14:33
here is a link to help explain: http://linoxide.com/how-tos/auditd-tool-security-auditing/


type=PATH msg=audit(1419222323.628:510): item=1 name="/etc/passwd.lock" inode=143992 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1419222323.628:510): item=0 name="/etc/" inode=131073 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1419222323.628:510): cwd="/root"
type=SYSCALL msg=audit(1419222323.628:510): arch=40000003 syscall=10 success=yes exit=0 a0=bfc0ceec a1=0 a2=bfc0ceec a3=897764c items=2 ppid=2978 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chfn" exe="/usr/bin/chfn" key=(null)

the above is a sample from that link,

on my system the audit is flagging a million times on a service account for the remote login software that's installed, and the more people that login via that method the more entries in the audit log.

in my case have the user account "somename" with userid 11000, and the line is showing a bunch of the information like described above but with comm="something_i_forget_what_at_the_moment". But it was something common out of /bin or /sbin.

i was hoping to add a rule via the -F option for comm!="something" along with uid!=### for that account to filter out that specific entry,
but when i go to restart auditd it says comm is not a valid option for -F.
going by the above example, I was trying to do -F comm!="chfn".

I am able to filter out the entire uid by doing -F uid!=11000
but doesn't that kinda defeat the purpose, meaning if something bad should happen under that specific account i won't see it?
Any filtering advice?
Can anyone provide a list of all the valid arguments that can be passed to -F ?
I was hoping anything in the audit log where X="something" is shown that I could filter on that X, but apparently not.

Automatic reply
16-Dec-2015, 06:30
ron7000,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com