LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-08-2013, 07:58 PM   #1
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 95

Rep: Reputation: 15
audit rules


I am inputting:
-a never,exit -F arch=b64 -F path=/usr/sbin/ntpd -F perm=x -k time
-a never,exit -F arch=b32 -F path=/usr/sbin/ntpd -F perm=x -k time
-a always,exit -F arch=b64 -S adjtimex -k time
-a always,exit -F arch=b32 -S adjtimex -k time

This is an exercise for another program that I do not want to log events for. The desired result is that I do not see /usr/sbin/ntpd in the audit events. This is not doing the job.

In the end I have a program that is accessing a file that I must monitor, but I do not want to log events when that program accesses the file. Thank you for any help that you may be able to provide.
 
Old 03-09-2013, 06:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
Quote:
Originally Posted by clcbluemont View Post
This is not doing the job.
You only posted some rules so we don't know if these rules were loaded and in which order (anything in audit.rules overriding it?) and w/o relevant audit.log excerpts we can't see what rules got triggered.


Quote:
Originally Posted by clcbluemont View Post
I have a program that is accessing a file that I must monitor, but I do not want to log events when that program accesses the file.
Could you be more specific? What's the actual purpose? What type or kind of file? And is using the audit service is a hard requirement (else see Inotify, FUSE LoggedFS)?
 
Old 03-09-2013, 11:11 AM   #3
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 95

Original Poster
Rep: Reputation: 15
I found the answer. The version of auditctl that comes with RHEL 5 does not have the ability to hook on the exe or comm field in a SYSCALL event.

So, for example if ntpd tries to access a file(/var/log/somefile)that is being watched by audit, I have no way of telling auditctl to ignore ntpd accessing that file while flagging any other executable.
 
  


Reply

Tags
audit, auditd, auditing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up several keys in audit.rules file dunamin Linux - Security 8 03-23-2011 09:08 PM
audit rules help idlehands Linux - Security 7 12-18-2010 11:02 PM
RHEL 4 /etc/audit.rules matonb Red Hat 9 06-25-2010 01:07 PM
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 06:42 PM
audit.rules statement entered from mccartjd Linux - Security 1 02-18-2010 06:32 PM


All times are GMT -5. The time now is 09:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration