SUSECON
Results 1 to 2 of 2

Thread: linux audit framework LAF auditctl filter on COMM help

Threaded View

  1. linux audit framework LAF auditctl filter on COMM help

    here is a link to help explain: http://linoxide.com/how-tos/auditd-t...rity-auditing/

    type=PATH msg=audit(1419222323.628:510): item=1 name="/etc/passwd.lock" inode=143992 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
    type=PATH msg=audit(1419222323.628:510): item=0 name="/etc/" inode=131073 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
    type=CWD msg=audit(1419222323.628:510): cwd="/root"
    type=SYSCALL msg=audit(1419222323.628:510): arch=40000003 syscall=10 success=yes exit=0 a0=bfc0ceec a1=0 a2=bfc0ceec a3=897764c items=2 ppid=2978 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chfn" exe="/usr/bin/chfn" key=(null)
    the above is a sample from that link,

    on my system the audit is flagging a million times on a service account for the remote login software that's installed, and the more people that login via that method the more entries in the audit log.

    in my case have the user account "somename" with userid 11000, and the line is showing a bunch of the information like described above but with comm="something_i_forget_what_at_the_moment". But it was something common out of /bin or /sbin.

    i was hoping to add a rule via the -F option for comm!="something" along with uid!=### for that account to filter out that specific entry,
    but when i go to restart auditd it says comm is not a valid option for -F.
    going by the above example, I was trying to do -F comm!="chfn".

    I am able to filter out the entire uid by doing -F uid!=11000
    but doesn't that kinda defeat the purpose, meaning if something bad should happen under that specific account i won't see it?
    Any filtering advice?
    Can anyone provide a list of all the valid arguments that can be passed to -F ?
    I was hoping anything in the audit log where X="something" is shown that I could filter on that X, but apparently not.
    Last edited by ron7000; 10-Dec-2015 at 14:35.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •