Filtering out non-interactive users

PJB pjb at decafgeek.org
Wed Jan 19 14:01:55 UTC 2011


On Sun, Jan 16, 2011 at 10:00:11AM -0500, Steve Grubb [sgrubb at redhat.com] wrote:
> > > > Can someone point me to documentation/examples or help me out with the
> > > > proper syntax for setting up rules that will exclude the background
> > > > processes? We are using auditd 1.7.4 now and the 'auid' filter above no
> > > > longer does the job.
> > > 
> > > There's been a lot of bugs fixed since then. You might try building a
> > > newer auditctl and trying it out to see if that makes a difference. Also
> > > note that the event capturing is done by the kernel and the kernel
> > > version would matter more than the auditd version.
> > 
> > Unfortunately I'm in one of those situations where changing software
> > versions will cause severe heartburn with management and customer types
> > due to concerns about baseline stability, so I have to stick with what we
> > have right now. The kernel is 2.6.33.1 with no extra patches, as far as I
> > know.
> 
> That should work unless the is a 32 bit bug everyone has missed or you have another 
> rule preventing the logging. If you do cat /proc/self/loginuid, do you get a number > 
> 0? Also, if you use auid!=4294967295, does that work?

The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the
filters, when I run 'auditctl -l' the rules are listed, but each one has
'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all
tagged with auid 4294967295. Is this proper or did I stumble upon a bug
after all?

I've managed a workaround for most of my systems; since we do not permit
direct root login to anything, using a filter of '-F uid!=0' manages to
filter out most of the background activity. However I do have a couple of
systems that only have a root user so this method does not work. 

Thanks again!
Patrick




More information about the Linux-audit mailing list