My auditd rules and my needs are fairly simple, I want only to log root actions.
# auditctl -l
-a always,exit -S all -F euid=0 -F perm=x -F key=ROOT_ACTION
That is the only rule, and it works:
type=SYSCALL msg=audit(1550318220.514:11479): arch=c000003e syscall=59 success=yes exit=0 a0=56002fde79a8 a1=56002fdeffc8 a2=56002fdee3a0 a3=0 items=2 ppid=7250 pid=7251 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="tail" exe="/usr/bin/tail" key="ROOT_ACTION"
However I also have apparmor profiles to explicitly deny certain apps privileges they do not need. This is deliberate and works as expected. However they result in my auditd.log being spammed up with stuff like:
type=AVC msg=audit(1550309442.438:207): apparmor="DENIED" operation="exec" profile="/usr/lib/slack/slack" name="/bin/dash" pid=2893 comm="slack" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As you see that's being executed by Slack running as a non-root user, isn't being caught by my ROOT_ACTION auditd rule.
It does this a LOT:
# cat /var/log/audit/*| egrep apparmor | wc -l
40574
That's in less than 24 hours.
I realise I could use aureport and ausearch or a myriad of other methods to filter what I see. However I would prefer not to introduce the bias of only finding the weirdness I was expecting, because it's the unexpected that worries me.
So, how can I:
- stop auditd from appending these events to /var/log/audit/audit.log?
- prevent apparmor from logging denied activities in the context of an individual profile (not globally) (UPDATE, Hargut's answer below addresses this, the solution is to explicitly use 'deny' which does not log)
Help!
Best Answer
After looking a bit more into the details there are also ways to configure your requirement on
auditd
level. There is a list which is namedexclude
where you can add rules to be filtered out.As example the following command would exclude any AVC messages:
auditctl -a never,exclude -F msgtype=AVC
In this case the audit event is generated by
apparmor
and controlled with the loadedapparmor
configuration. There no corresponding rule which could be controlled/removed byauditctl
on the kernels audit subsystem.An explicit
auditctl
filtering rule can be created using theexclude
list with corresponding matching rules.Personally I would prefer the way to not even generate the audit event if it is not needed by configuring
apparmor
todeny
only.AVC is also called the Access Vector Cache. This cache is used by SELinux/Apparmor to log access decisions and it looks like that this messagetype is by default recorded with auditd and has to be explicitly denied in case the user does not want that. The
auditctl
man page lists this as example in theexclude
section. Further in SELinux there is also a mechanism that writes the AVC logs to disk when auditd is not running.