* Exclude Watched Items
@ 2017-05-15 21:08 Boyce, Kevin P [US] (AS)
2017-05-16 3:22 ` Richard Guy Briggs
0 siblings, 1 reply; 4+ messages in thread
From: Boyce, Kevin P [US] (AS) @ 2017-05-15 21:08 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 712 bytes --]
Ok I admit I should know how to do this, but it is evident I do not.
On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
I had tried:
-d entry,always -S all -F dir=/proc
-a exclude,always -F dir=/proc
Both of these are ignored. The first makes sense because I guess -d must match exactly a rule already loaded in the kernel.
The second is telling me I have an invalid message type, but I can't seem to find the valid message types documented in the man pages.
Other systemcalls which are audited are open, fopen, chown, chattr, etc.
I am trying to prevent auditing of the open syscall on /proc/... because there are a lot of them, and it is not a requirement.
Kevin
[-- Attachment #1.2: Type: text/html, Size: 2935 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Exclude Watched Items
2017-05-15 21:08 Exclude Watched Items Boyce, Kevin P [US] (AS)
@ 2017-05-16 3:22 ` Richard Guy Briggs
2017-05-16 12:54 ` EXT :Re: " Boyce, Kevin P [US] (AS)
0 siblings, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2017-05-16 3:22 UTC (permalink / raw)
To: Boyce, Kevin P [US] (AS); +Cc: linux-audit
On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> Ok I admit I should know how to do this, but it is evident I do not.
>
> On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
>
> I had tried:
> -d entry,always -S all -F dir=/proc
> -a exclude,always -F dir=/proc
>
> Both of these are ignored. The first makes sense because I guess -d
> must match exactly a rule already loaded in the kernel.
"-d" says delete the rule. (I think the entry list is deprecated.)
> The second is telling me I have an invalid message type, but I can't
> seem to find the valid message types documented in the man pages.
The exclude list only supports "-F msgtype=" on anything that old.
More types are supported upstream and only very recent RHEL7.
> Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> I am trying to prevent auditing of the open syscall on /proc/...
> because there are a lot of them, and it is not a requirement.
How about "-a exit,never -F dir=/proc"?
> Kevin
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: EXT :Re: Exclude Watched Items
2017-05-16 3:22 ` Richard Guy Briggs
@ 2017-05-16 12:54 ` Boyce, Kevin P [US] (AS)
2017-05-16 21:17 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Boyce, Kevin P [US] (AS) @ 2017-05-16 12:54 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
I'll give that a shot. How do I find out what the supported message types are?
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb@redhat.com]
Sent: Monday, May 15, 2017 11:23 PM
To: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
Cc: linux-audit@redhat.com
Subject: EXT :Re: Exclude Watched Items
On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> Ok I admit I should know how to do this, but it is evident I do not.
>
> On RHEL 5.11, what is the correct way for me to not audit anything in /proc?
>
> I had tried:
> -d entry,always -S all -F dir=/proc
> -a exclude,always -F dir=/proc
>
> Both of these are ignored. The first makes sense because I guess -d
> must match exactly a rule already loaded in the kernel.
"-d" says delete the rule. (I think the entry list is deprecated.)
> The second is telling me I have an invalid message type, but I can't
> seem to find the valid message types documented in the man pages.
The exclude list only supports "-F msgtype=" on anything that old.
More types are supported upstream and only very recent RHEL7.
> Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> I am trying to prevent auditing of the open syscall on /proc/...
> because there are a lot of them, and it is not a requirement.
How about "-a exit,never -F dir=/proc"?
> Kevin
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: EXT :Re: Exclude Watched Items
2017-05-16 12:54 ` EXT :Re: " Boyce, Kevin P [US] (AS)
@ 2017-05-16 21:17 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2017-05-16 21:17 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
On Tuesday, May 16, 2017 8:54:40 AM EDT Boyce, Kevin P [US] (AS) wrote:
> I'll give that a shot. How do I find out what the supported message types
> are?
ausearch -m x
This will cause ausearch to output an error message that describes the
supported types.
-Steve
> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb@redhat.com]
> Sent: Monday, May 15, 2017 11:23 PM
> To: Boyce, Kevin P [US] (AS) <Kevin.Boyce@ngc.com>
> Cc: linux-audit@redhat.com
> Subject: EXT :Re: Exclude Watched Items
>
> On 2017-05-15 21:08, Boyce, Kevin P [US] (AS) wrote:
> > Ok I admit I should know how to do this, but it is evident I do not.
> >
> > On RHEL 5.11, what is the correct way for me to not audit anything in
> > /proc?
> >
> > I had tried:
> > -d entry,always -S all -F dir=/proc
> > -a exclude,always -F dir=/proc
> >
> > Both of these are ignored. The first makes sense because I guess -d
> > must match exactly a rule already loaded in the kernel.
>
> "-d" says delete the rule. (I think the entry list is deprecated.)
>
> > The second is telling me I have an invalid message type, but I can't
> > seem to find the valid message types documented in the man pages.
>
> The exclude list only supports "-F msgtype=" on anything that old.
>
> More types are supported upstream and only very recent RHEL7.
>
> > Other systemcalls which are audited are open, fopen, chown, chattr, etc.
> > I am trying to prevent auditing of the open syscall on /proc/...
> > because there are a lot of them, and it is not a requirement.
>
> How about "-a exit,never -F dir=/proc"?
>
> > Kevin
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa,
> Red Hat Canada IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-16 21:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-15 21:08 Exclude Watched Items Boyce, Kevin P [US] (AS)
2017-05-16 3:22 ` Richard Guy Briggs
2017-05-16 12:54 ` EXT :Re: " Boyce, Kevin P [US] (AS)
2017-05-16 21:17 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.