excluding auditd events
yersinia
yersinia.spiros at gmail.com
Wed May 25 09:08:36 UTC 2011
On Wed, May 25, 2011 at 4:23 AM, Mr Dash Four
<mr.dash.four at googlemail.com>wrote:
>
> > You are only excluding 'user' messages. I don't know the list of which
> > msg types are 'user' messages off the top of my head, but it isn't that
> > long. I don't believe that crond sends any other user messages (but it
> > wouldn't be the first time I was wrong). You would still audit things
> > like AVC denials for cron or or any syscall audit rules you have.
> > Basically that is going to deny all audit messages that cron explicitly
> > sent to the audit system, but not messages generated by the kernel for
> cron.
> >
> I can't really answer whether this is good or not then, as 1) my auditd
> knowledge is still limited and 2) I do not really know what these "user
> messages" actually cover (is there a definite list of these?). I would
> like to disable the following types for sure: USER_ACCT, CRED_ACQ,
> USER_START, CRED_DISP and USER_END.
>
I have found this reference very useful:
http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp
This shows where events come from and which filters they hit. The cron
event comes
from user space. It goes through the user filter, so that where the rule would
need to be. The only valid fields for this filter are (from auditctl(8))
user Add a rule to the user message filter list. This list is
used by the kernel to filter events originating in user space
before
relaying them to the audit daemon. It
should be noted that the only fields that are valid are: uid, auid,
gid, pid, subj_user,
subj_role, subj_type, subj_sen, and
subj_clr. All other fields will be treated as non-matching.
Dunno if this can help you. IMHO i think no.
Regards
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110525/2cc3bb0c/attachment.html
More information about the selinux
mailing list