RHEL_auditd how to filter per GID users only ?
Hi
I want to audit only users from certain GID on my RHEL5.8 box. I cnfigured auditd with the following audit.rules file : Code:
# First rule - delete all Code:
ode=10.192.25.55 type=USER_ACCT msg=audit(1361550601.159:386198): user pid=7766 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' How to configure auditd to ONLY audit users from GID=2101 ? When I start auditd I see the follwoing head output : Code:
node=10.192.25.55 type=DAEMON_START msg=audit(1361551830.781:251): auditd start, ver=1.8 format=raw kernel=2.6.18-308.el5 auid=0 pid=16923 res=success |
USER_ACCT, CRED_ACQ and LOGIN are message types. Usually you don't want to miss out on logging those (though you can have "-a exclude,always -F msgtype=SOMETHING" if you really know what you're doing). "auid=0 op=add rule" isn't an error but the audit service notifying you it loaded rules. auid=4294967295, in other words a message from a process that was started before the audit service was, means you should start the audit service earlier ;-p
You can also add excludes like for examle for "auid=4294967295" you add Code:
... -F ! auid=4294967295 ... |
Hi
Thx for your reply. I only want auditd to log messages in /var/log/audit/audit.log file for the following setup : 1. Access,write, modification of files or dirs in /home fs. 2. Don't want anything to be logged in that audit.log file apart messages related uid=2217. Myh actual setup looks like that : Code:
# First rule - delete all |
Quote:
Quote:
|
I found it.
I added the follwing at the beginning of audit.rules file. Code:
-a exclude,always -F msgtype>=1100 -F msgtype<=1299 Code:
node=10.8.4.118 type=LOGIN msg=audit(1361884393.999:2503816): login pid=20666 uid=0 old auid=4294967295 new auid=506 old ses=4294967295 new ses=241758 I only want to disable type=LOGIN for uid<2000. How to achieve this ? |
'man auditctl' says each "-F" field equation is anded so try something with "-F ! uid < 2001"?
|
All times are GMT -5. The time now is 08:12 AM. |