Exclude Watched Items

Exclude Watched Items

[Boyce, Kevin P [US] (AS)]

[-- Attachment #1.1: Type: text/plain, Size: 712 bytes --]

Ok I admit I should know how to do this, but it is evident I do not.

On RHEL 5.11, what is the correct way for me to not audit anything in /proc?

I had tried:
-d entry,always -S all -F dir=/proc
-a exclude,always -F dir=/proc

Both of these are ignored.  The first makes sense because I guess -d must match exactly a rule already loaded in the kernel.
The second is telling me I have an invalid message type, but I can't seem to find the valid message types documented in the man pages.

Other systemcalls which are audited are open, fopen, chown, chattr, etc.
I am trying to prevent auditing of the open syscall on /proc/... because there are a lot of them, and it is not a requirement.

Kevin

[-- Attachment #1.2: Type: text/html, Size: 2935 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Exclude Watched Items

[Richard Guy Briggs]

On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> Ok I admit I should know how to do this, but it is evident I do not.
> 
> On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
> 
> I had tried:
> -d entry,always -S all -F dir=/proc
> -a exclude,always -F dir=/proc
> 
> Both of these are ignored.  The first makes sense because I guess -d
> must match exactly a rule already loaded in the kernel.

"-d" says delete the rule.  (I think the entry list is deprecated.)

> The second is telling me I have an invalid message type, but I can't
> seem to find the valid message types documented in the man pages.

The exclude list only supports "-F msgtype=" on anything that old.

More types are supported upstream and only very recent RHEL7.

> Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> I am trying to prevent auditing of the open syscall on /proc/...
> because there are a lot of them, and it is not a requirement.

How about "-a exit,never -F dir=/proc"?

> Kevin

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

RE: EXT :Re: Exclude Watched Items

[Boyce, Kevin P [US] (AS)]

I'll give that a shot.  How do I find out what the supported message types are?

-----Original Message-----
From: Richard Guy Briggs [mailto:rgb@redhat.com] 
Sent: Monday, May 15, 2017 11:23 PM
To: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
Cc: linux-audit@redhat.com
Subject: EXT :Re: Exclude Watched Items

On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> Ok I admit I should know how to do this, but it is evident I do not.
> 
> On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
> 
> I had tried:
> -d entry,always -S all -F dir=/proc
> -a exclude,always -F dir=/proc
> 
> Both of these are ignored.  The first makes sense because I guess -d 
> must match exactly a rule already loaded in the kernel.

"-d" says delete the rule.  (I think the entry list is deprecated.)

> The second is telling me I have an invalid message type, but I can't 
> seem to find the valid message types documented in the man pages.

The exclude list only supports "-F msgtype=" on anything that old.

More types are supported upstream and only very recent RHEL7.

> Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> I am trying to prevent auditing of the open syscall on /proc/...
> because there are a lot of them, and it is not a requirement.

How about "-a exit,never -F dir=/proc"?

> Kevin

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: EXT :Re: Exclude Watched Items

[Steve Grubb]

On Tuesday, May 16, 2017 8:54:40 AM EDT Boyce, Kevin P [US] (AS) wrote:
> I'll give that a shot.  How do I find out what the supported message types
> are?

ausearch -m x

This will cause ausearch to output an error message that describes the 
supported types.

-Steve

> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb@redhat.com]
> Sent: Monday, May 15, 2017 11:23 PM
> To: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
> Cc: linux-audit@redhat.com
> Subject: EXT :Re: Exclude Watched Items
> 
> On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> > Ok I admit I should know how to do this, but it is evident I do not.
> > 
> > On RHEL 5.11, what is the correct way for me to not audit anything in
> > /proc?
> > 
> > I had tried:
> > -d entry,always -S all -F dir=/proc
> > -a exclude,always -F dir=/proc
> > 
> > Both of these are ignored.  The first makes sense because I guess -d
> > must match exactly a rule already loaded in the kernel.
> 
> "-d" says delete the rule.  (I think the entry list is deprecated.)
> 
> > The second is telling me I have an invalid message type, but I can't
> > seem to find the valid message types documented in the man pages.
> 
> The exclude list only supports "-F msgtype=" on anything that old.
> 
> More types are supported upstream and only very recent RHEL7.
> 
> > Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> > I am trying to prevent auditing of the open syscall on /proc/...
> > because there are a lot of them, and it is not a requirement.
> 
> How about "-a exit,never -F dir=/proc"?
> 
> > Kevin
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa,
> Red Hat Canada IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit