Hector
Cadet
Cadet
  • 1,205 Views

Audit

Hi Team,

If i need to eliminate/omited  the followin lines. How can I do?

 

-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503

 

 

regards

 

 

 

0 Kudos
5 Replies
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 1,192 Views

Hi @Hector

Let's start from here.

Please give us an output of

sudo auditctl -l

OR

Please play around with this:

Main directory:

/etc/audit

How to interpret your audit logs:

-a action list: always log on syscall exit
-F field
-S syscall: execve
-k Logging Key: programs

auditctl - l - List current rule set

More examples :

https://github.com/EricGershman/auditd-examples

Cheers.
Will

0 Kudos
Hector
Cadet
Cadet
  • 1,187 Views

[root@lxhomoora5 ~]# auditctl -l
-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
[root@lxhomoora5 ~]#

 

0 Kudos
Hector
Cadet
Cadet
  • 1,186 Views

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#

0 Kudos
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 1,175 Views

Hi @Hector


@Hector wrote:

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#


Per your 'auditctl -l', those rules that you wanted to ommit were not loaded. Thus, you have achieved what you wanted though not sure what you did.

Otherwise, you would have seen something like this:

 ​[root@myrhel0 ~]# auditctl -l
-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-w /etc/pam.d -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

 And you will be able to see the rules at

/etc/audit/rules.d/*.rules

 

Agree? Or tell us more about what you are trying to really achieve.

 

Cheers.

Will

 

 

0 Kudos
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 1,159 Views

Hi @Hector

You find my reply helpful? Please let me know.

Will

0 Kudos
Join the discussion
You must log in to join this conversation.