cancel
Showing results for 
Search instead for 
Did you mean: 
Hector
Cadet
Cadet
  • 995 Views

Audit

Hi Team,

If i need to eliminate/omited  the followin lines. How can I do?

 

-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB -a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA -a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503 -a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503

 

 

regards

 

 

 

0 Kudos
5 Replies
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 982 Views

Re: Audit

Hi @Hector

Let's start from here.

Please give us an output of

sudo auditctl -l

OR

Please play around with this:

Main directory:

/etc/audit

How to interpret your audit logs:

-a action list: always log on syscall exit
-F field
-S syscall: execve
-k Logging Key: programs

auditctl - l - List current rule set

More examples :

https://github.com/EricGershman/auditd-examples

Cheers.
Will

0 Kudos
Reply
Loading...
Hector
Cadet
Cadet
  • 977 Views

Re: Audit

[root@lxhomoora5 ~]# auditctl -l
-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
[root@lxhomoora5 ~]#

 

0 Kudos
Reply
Loading...
Hector
Cadet
Cadet
  • 976 Views

Re: Audit

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#

0 Kudos
Reply
Loading...
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 965 Views

Re: Audit

Hi @Hector


@Hector wrote:

[root@lxhomoora5 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320

-w /etc/pam.d/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba/ -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

[root@lxhomoora5 audit]# pwd
/etc/audit
[root@lxhomoora5 audit]#


Per your 'auditctl -l', those rules that you wanted to ommit were not loaded. Thus, you have achieved what you wanted though not sure what you did.

Otherwise, you would have seen something like this:

 ​[root@myrhel0 ~]# auditctl -l
-a always,exit -F arch=b64 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S execve -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF689BBBE808804A22B2FA6C8828EE2CEB
-a always,exit -F arch=b64 -S dup,dup2,clone,fork,vfork,execve,exit,utime,adjtimex,settimeofday,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b32 -S exit,fork,execve,utime,dup,dup2,settimeofday,clone,adjtimex,vfork,exit_group,utimes,futimesat,utimensat -F key=MF77544730A04842DF8778C78DBED6F0FA
-a always,exit -F arch=b64 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S execve -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b64 -S dup,dup2,utime,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-a always,exit -F arch=b32 -S utime,dup,dup2,utimes,futimesat,utimensat -F key=MFF69DB48D30D540EAAD792CD3C8FFD503
-w /etc/pam.d -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/samba -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/passwd -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB
-w /etc/shadow -p wa -k MF689BBBE808804A22B2FA6C8828EE2CEB

 And you will be able to see the rules at

/etc/audit/rules.d/*.rules

 

Agree? Or tell us more about what you are trying to really achieve.

 

Cheers.

Will

 

 

0 Kudos
Reply
Loading...
williamwlk
Flight Engineer Flight Engineer
Flight Engineer
  • 949 Views

Re: Audit

Hi @Hector

You find my reply helpful? Please let me know.

Will

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.