here is a link to help explain: http://linoxide.com/how-tos/auditd-t...rity-auditing/
the above is a sample from that link,type=PATH msg=audit(1419222323.628:510): item=1 name="/etc/passwd.lock" inode=143992 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1419222323.628:510): item=0 name="/etc/" inode=131073 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1419222323.628:510): cwd="/root"
type=SYSCALL msg=audit(1419222323.628:510): arch=40000003 syscall=10 success=yes exit=0 a0=bfc0ceec a1=0 a2=bfc0ceec a3=897764c items=2 ppid=2978 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chfn" exe="/usr/bin/chfn" key=(null)
on my system the audit is flagging a million times on a service account for the remote login software that's installed, and the more people that login via that method the more entries in the audit log.
in my case have the user account "somename" with userid 11000, and the line is showing a bunch of the information like described above but with comm="something_i_forget_what_at_the_moment". But it was something common out of /bin or /sbin.
i was hoping to add a rule via the -F option for comm!="something" along with uid!=### for that account to filter out that specific entry,
but when i go to restart auditd it says comm is not a valid option for -F.
going by the above example, I was trying to do -F comm!="chfn".
I am able to filter out the entire uid by doing -F uid!=11000
but doesn't that kinda defeat the purpose, meaning if something bad should happen under that specific account i won't see it?
Any filtering advice?
Can anyone provide a list of all the valid arguments that can be passed to -F ?
I was hoping anything in the audit log where X="something" is shown that I could filter on that X, but apparently not.