Im using auditctl and get a lot of logging events for crond. I do not wish to log any cron/crond events.
node=127.0.0.1 type=CRED_DISP msg=audit(1405678801.149:5571): user pid=1757 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=127.0.0.1 type=USER_END msg=audit(1405678801.150:5572): user pid=1757 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=127.0.0.1 type=USER_ACCT msg=audit(1405678921.158:5573): user pid=2017 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1405678921.158:5574): user pid=2017 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=127.0.0.1 type=LOGIN msg=audit(1405678921.159:5575): login pid=2017 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=102
node=127.0.0.1 type=USER_START msg=audit(1405678921.167:5576): user pid=2017 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
In my audit.rules
I have:
-a exit,never -F path=/usr/sbin/crond
But it seems like its logging the login events for root which then executes the cron. I can't global filter out USER_START
, USER_ACCT
etc. as I need these for other users.
Update:
I believe from http://linux.die.net/man/8/auditctl that the subj part:
subj=system_u:system_r:crond_t:s0-s0:c0.c1023
Relates to the options:
subj_user
Program's SE Linux User
subj_role
Program's SE Linux Role
subj_type
Program's SE Linux Type
subj_sen
Program's SE Linux Sensitivity
subj_clr
Program's SE Linux Clearance
adding:
-a exit,never -F subj_role=crond
or
-a exit,never -F subj_role=crond_
didn't work, the crons still appear.
Best Answer
I believe it is
auditctl -a never,user -F subj_type=crond_t
It works except for the 'type=LOGIN'
Then:
auditctl always,exclude -F msgtype=LOGIN -F subj_type=crond_t
and you're good to go