How to exclude specific users, groups, or services when using auditd to audit syscalls

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • auditd

Issue

  • How to exclude services from triggering syscall rules with audit?

  • We're using standard STIG rules to audit time-changes by syscall (e.g., in the same way as what can be seen with grep ^-a.*time-change /usr/share/doc/audit-*/stig.rules) but unfortunately ntpd (or chronyd on newer servers) is constantly triggering new audit events as it makes changes to the time. How can we exclude ntpd or chronyd from triggering these audit rules?

Resolution

See also: How to exclude specific users or groups when using auditd to watch files

  • Take a simple syscall rule like:

    -a always,exit -F arch=b64 -S clock_settime
    
  • The above rule can be extended with conditions to restrict when it will be triggered
    For example:

    • -F subj_type!=ntpd_t
      Adding this to the above rule effectively "whitelists" the use of clock_settime() by any processes running under the ntpd_t SELinux domain

    • -F auid!=timekeeper
      Adding this to the above rule effectively "whitelists" the use of clock_settime() by any processes owned by a user (probably root) who originally logged in as the "timekeeper" user

    • Note that there are many more rule field names to allow more specificity with users, groups, and the different components of the subject & object SELinux context
      (See the auditctl(8) man page for more details)

    • Note that it is not possible to add executable path (e.g., -F path!=/usr/sbin/ntpd) or command/process name to a syscall-auditing rule
      For more detail on this, see: How to exclude specific processes when using auditd to audit syscalls

Final example

  • The standard STIG rules audit time-changes

    ~]# grep ^-a.*time-change /usr/share/doc/audit-*/stig.rules
    -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
    -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
    -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
    
  • To allow the ntpd and chronyd services to change time without triggering audit events on a system where SELinux is in enforcing or permissive, add -F subj_type!=ntpd_t to each line, resulting in:

    -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F subj_type!=ntpd_t -F key=time-change
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F subj_type!=ntpd_t -F key=time-change
    -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F subj_type!=ntpd_t -F key=time-change
    -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F subj_type!=ntpd_t -F key=time-change
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.