cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Hector
Cadet
Cadet
‎12-27-2018 06:41 PM
  • 2,831 Views

Audit

Hi Team,

If i need to eliminate/omited  the followin lines. How can I do?

 

-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503

 

 

regards

 

 

 

0 Kudos
Join the discussion
5 Replies
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
‎12-28-2018 09:30 AM
  • 2,818 Views

Hi @Hector

Let's start from here.

Please give us an output of

sudo auditctl -l

OR

Please play around with this:

Main directory:

/etc/audit

How to interpret your audit logs:

-a action list: always log on syscall exit
-F field
-S syscall: execve
-k Logging Key: programs

auditctl - l - List current rule set

More examples :

https://github.com/EricGershman/auditd-examples

Cheers.
Will

0 Kudos
Hector
Cadet
Cadet
‎12-28-2018 01:29 PM
  • 2,813 Views

[root@lxhomoora5 ~]# auditctl -l
-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
[root@lxhomoora5 ~]#

 

0 Kudos
Hector
Cadet
Cadet
‎12-28-2018 01:30 PM
  • 2,812 Views

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#

0 Kudos
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
‎12-28-2018 05:28 PM
  • 2,801 Views

Hi @Hector

@Hector wrote:

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#

Per your 'auditctl -l', those rules that you wanted to ommit were not loaded. Thus, you have achieved what you wanted though not sure what you did.

Otherwise, you would have seen something like this:

 ​[root@myrhel0 ~]# auditctl -l
-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-w /etc/pam.d -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

 And you will be able to see the rules at

/etc/audit/rules.d/*.rules

 

Agree? Or tell us more about what you are trying to really achieve.

 

Cheers.

Will

 

 

0 Kudos
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
‎01-02-2019 09:21 AM
  • 2,785 Views

Hi @Hector

You find my reply helpful? Please let me know.

Will

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use