How to exclude specific processes when using auditd to audit syscalls

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • auditd

Issue

  • How to exclude specific processes by process name when auditing syscalls with auditd?

  • We want to audit certain syscalls (e.g. -a always,exit -F arch=b64 -S fchown) but we also want to ignore use of these syscalls by certain applications which we are not concerned about. How can we "whitelist" specific commands to keep them from triggering on an audit rule and generating an event?

Resolution

  • In modern versions of RHEL it's possible to build syscall-auditing rules that also filter based on:

    • target file path, where applicable
    • process PID, PPID
    • process user, group
    • process (subject) SELinux context (e.g., type or role)
    • target resource (object) SELinux context (e.g., type or role)
  • For details on the above, see: How to exclude specific users, groups, or services when using auditd to audit syscalls

  • Note however that it is not possible to add executable paths to a syscall rule with -F path!=/bin/xxxx or -F path=/bin/xxxx
    The former (path!=) is not allowed and the latter (path=) will restrict the rule to matching syscalls that operate on that file

  • The release of RHEL 7.31 included updated userspace & kernelspace components that allow auditing based on executable name using -F exe=/path/to/executable (full path is required and the != operator is not allowed)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.