LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-08-2013, 06:58 PM   #1
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 116
Blog Entries: 3

Rep: Reputation: 15
audit rules


I am inputting:
-a never,exit -F arch=b64 -F path=/usr/sbin/ntpd -F perm=x -k time
-a never,exit -F arch=b32 -F path=/usr/sbin/ntpd -F perm=x -k time
-a always,exit -F arch=b64 -S adjtimex -k time
-a always,exit -F arch=b32 -S adjtimex -k time

This is an exercise for another program that I do not want to log events for. The desired result is that I do not see /usr/sbin/ntpd in the audit events. This is not doing the job.

In the end I have a program that is accessing a file that I must monitor, but I do not want to log events when that program accesses the file. Thank you for any help that you may be able to provide.
 
Old 03-09-2013, 05:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by clcbluemont View Post
This is not doing the job.
You only posted some rules so we don't know if these rules were loaded and in which order (anything in audit.rules overriding it?) and w/o relevant audit.log excerpts we can't see what rules got triggered.


Quote:
Originally Posted by clcbluemont View Post
I have a program that is accessing a file that I must monitor, but I do not want to log events when that program accesses the file.
Could you be more specific? What's the actual purpose? What type or kind of file? And is using the audit service is a hard requirement (else see Inotify, FUSE LoggedFS)?
 
Old 03-09-2013, 10:11 AM   #3
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 116

Original Poster
Blog Entries: 3

Rep: Reputation: 15
I found the answer. The version of auditctl that comes with RHEL 5 does not have the ability to hook on the exe or comm field in a SYSCALL event.

So, for example if ntpd tries to access a file(/var/log/somefile)that is being watched by audit, I have no way of telling auditctl to ignore ntpd accessing that file while flagging any other executable.
 
  


Reply

Tags
audit, auditd, auditing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up several keys in audit.rules file dunamin Linux - Security 8 03-23-2011 08:08 PM
audit rules help idlehands Linux - Security 7 12-18-2010 10:02 PM
RHEL 4 /etc/audit.rules matonb Red Hat 9 06-25-2010 12:07 PM
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 05:42 PM
audit.rules statement entered from mccartjd Linux - Security 1 02-18-2010 05:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration