From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Excluding audit for BIND daemon Date: Sat, 23 Sep 2017 14:54:47 -0400 Message-ID: <4054591.avblJfevpb@x2> References: <5443197.uldAHpj5g8@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote: > As per the config file which I had sent (/etc/audit/audit.rules); below > line has root_action > > *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k > root_action* If you wanted just people and not daemons, then I would suggest changing the rule to this: -a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action However, that is likely to trigger way more events than you need. Because this will trigger on every single syscall and slow down the system. What you would normally want to know is which commands were run as root. A rule for that would look like this: -a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action -a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action Another approach would be to enable keystroke logging. This would involve adding pam_audit_tty to the su and sudo pam configs. Use the default setting shown in the pam man page. If you do this, then don't have the root_action rule because you'll get double information. And last bit of advice...there are pre-written rules that you can install. On Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules file that explains how to use them. -Steve > I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/* > > Thanks! > > > > Best Regards, > Rituraj B > > On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb wrote: > > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote: > > > Continued...from previous mail of mine.. > > > > > > While I am reading and exploring much on auditd & on how I can have a > > > proper central system where logs are stored and daily reports get > > > generated, you might want to look at my config file on server and > > > suggest/recommend if anything - would appreciate if any pointers. > > > > > > I am using default config which came with Ubuntu 16.04 and only change > > > > was* > > > > > "-F auid!=4294967295"* on line where root_action is defined . > > > > There is no rule, root_action, that is shipped with the audit package. I > > would > > be interested in seeing it if you could copy and paste it into a reply. > > > > -Steve