Auditd with the stig.rules how to NOT see daemon activite when the services is restart by a human after the boot of the server
Hello,
I am trying to put in place the auditing with the RHEL6 stig.rule (/usr/share/doc/audit-2.2/stig.rules) And my audit log become huge when I have to restart a service.
Example:
If I have to stop/start my cfengine service after a reboot all the cfengine daemons have my uid in the AUID field
and since my auid is >= 500 this create a lot of audit log ( principaly "key=perm_mod and key=delete from the stig rules).
I am logging to the server with my username by ssh and after am i doing sudo su - to be able to become root and restarting the services.....
Here an example of the raw auditd log:
type=SYSCALL msg=audit(1353444110.407:105444): arch=c000003e syscall=90 success=yes exit=0 a0=7fff6407e140 a1=41ed a2=7fff6407f1d0 a3=7fff6407aec0 items=1 ppid=23962 pid=23963 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1265 comm="cf-agent" exe="/var/cfengine/bin/cf-agent" subj=unconfined_u:system_r:initrc_t:s0 key="perm_mod"
Do someone know if there is a way to restart admin service without having your uid in the auid field ?
Responses
Red Hat
25369 points
Hi Yves,
I've reached out to a Red Hat associate for an answer to this one, so you should see a response shortly.
Red Hat
Pro
652 points
Hello Yves,
Could you please provide a bit more information what do you mean by "admin service" ? Are you looking to have a rule that does not audit an specific service (start/stop) from a specific user? Which RHEL6 release are you using (cat /etc/redhat-release) ?
Regards
Fábio Da Cunha
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.