Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-14-2019, 02:19 AM   #1
LQ Newbie
Registered: May 2008
Posts: 2

Rep: Reputation: 1
Auditd filter


I'm trying to establish RHEL auditing with auditd.
We would like to log only commands of users connected over ssh and executed as root user. For start I'm testing rules:
-a always,exit -F arch=b64 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
-a always,exit -F arch=b32 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
It all works well, but the problem is that on some servers there was lot of unnecessary logging of events from system activity type=SYSCALL with tty=(none)
I was trying to add filter with tty!=(none), but tty filter is not supported. Is there some other general option to filter out such events? I don't like idea to write custom filter for every server.

Thanks and best regards,

Old 02-19-2019, 05:56 AM   #2
LQ Newbie
Registered: May 2008
Posts: 2

Original Poster
Rep: Reputation: 1

If someone has similar problem I figured out how to filter those events with tty=(none). For log analyzing we are using ELK stack so I installed Auditbeat on RHEL servers.
Auditbeat supports filtering off tty field
- drop_event:
contains: "(none)"

Best regards,

1 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
The auditd daemon stops logging after deleting audit.log until auditd is restarted Latitude Linux - Security 2 06-20-2013 03:10 PM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 07:08 AM
Dansguardian - Won't filter new addresses added to filter list TechnoBod Linux - Software 1 01-08-2008 01:40 AM
LAus error even after turning auditd off g14malibu Red Hat 2 04-04-2005 10:23 AM
Spam filter to external mail filter deadlock Linux - Software 1 06-16-2004 02:28 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration