Filtering audit events
rshaw1 at umbc.edu
rshaw1 at umbc.edu
Mon Aug 31 13:58:42 UTC 2015
> If you use the -i argument to ausearch, it becomes more clear what the
> issue is. The problem is that the program is opening the file for read and
> write, but the permissions are just for group read. If that file were
> 0660, then you would not get this audit event.
Hrm. The process is running as the root user, though. It's going over
the whole filesystem (for backups).
>>The STIG-compliant audit ruleset we're using seems to generate a lot of
>>these, and I'm concerned that may be affecting the performance of the app
>>in question (also, I consider it log spam). I tried the following rule
>>(plus a few variations like ogid), but it doesn't seem to be working:
>>
>>-a exit,never -F gid=9002 -k exclude
>
> This should work as long as its before the open rule. Rules are processed
> from top to bottom with first match winning.
>
>>What would be the best way to approach this?
It's pretty much at the top, well before the open rule. There are only
two other exclude rules before it, and the general settings:
-D
-b 8192
-f 1
This is on RHEL6, if that matters.
--Ray
More information about the Linux-audit
mailing list