LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2019, 02:19 AM   #1
luka1982
LQ Newbie
 
Registered: May 2008
Posts: 2

Rep: Reputation: 1
Auditd filter


Hello,

I'm trying to establish RHEL auditing with auditd.
We would like to log only commands of users connected over ssh and executed as root user. For start I'm testing rules:
-a always,exit -F arch=b64 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
-a always,exit -F arch=b32 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
It all works well, but the problem is that on some servers there was lot of unnecessary logging of events from system activity type=SYSCALL with tty=(none)
I was trying to add filter with tty!=(none), but tty filter is not supported. Is there some other general option to filter out such events? I don't like idea to write custom filter for every server.

Thanks and best regards,

Luka
 
Old 02-19-2019, 05:56 AM   #2
luka1982
LQ Newbie
 
Registered: May 2008
Posts: 2

Original Poster
Rep: Reputation: 1
Hi,

If someone has similar problem I figured out how to filter those events with tty=(none). For log analyzing we are using ELK stack so I installed Auditbeat on RHEL servers.
Auditbeat supports filtering off tty field
processors:
- drop_event:
when:
contains:
auditd.data.tty: "(none)"

Best regards,

Luka
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The auditd daemon stops logging after deleting audit.log until auditd is restarted Latitude Linux - Security 2 06-20-2013 03:10 PM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 07:08 AM
Dansguardian - Won't filter new addresses added to filter list TechnoBod Linux - Software 1 01-08-2008 01:40 AM
LAus error even after turning auditd off g14malibu Red Hat 2 04-04-2005 10:23 AM
Spam filter to external mail filter deadlock Linux - Software 1 06-16-2004 02:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration