Auditd filter

Comments

Hello,

I'm trying to establish RHEL auditing with auditd.
We would like to log only commands of users connected over ssh and executed as root user. For start I'm testing rules:
-a always,exit -F arch=b64 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
-a always,exit -F arch=b32 -S execve -F auid>1000 -F auid<99000000 -F uid=0 -F key=root-commands
It all works well, but the problem is that on some servers there was lot of unnecessary logging of events from system activity type=SYSCALL with tty=(none)
I was trying to add filter with tty!=(none), but tty filter is not supported. Is there some other general option to filter out such events? I don't like idea to write custom filter for every server.

Thanks and best regards,

Luka

Started 2019-02-14T08:01:09+00:00 by

IT Admin

Newbie 11 points

Select Your Language

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links