2

I am trying to exclude everything but the things I want in Auditd, however the things I've tried, seem to log a lot more details, the majority are irrelevant. 

-a never,exclude -F msgtype=CWD
-a never,exclude -F msgtype=USER_ACCT
-a never,exclude -F msgtype=CONFIG_CHANGE
-a never,exclude -F msgtype=SERVICE_START
-a never,exclude -F msgtype=SERVICE_STOP
-a never,exclude -F msgtype=PROCTITLE

-a exit,never -F auid<100
-a exit,never -F uid<100

-a exit,never -F exe=/usr/sbin/mount.nfs
-a exit,never -F exe=/usr/sbin/automount

-a always,exit -F arch=b64 -S connect

I can exclude them manually, but it's impossible to catch everything apart from the specific thing I want to log.

So the question, how do I configure it to exclude everything except the things you want?

Jenny D
  • 27,780
  • 21
  • 75
  • 114
Tbuermann
  • 41
  • 1
  • 1
  • 4
  • 1
    Why is it you want it to not log these things? Is it because of performance issues, or because the log gets too large, or because the amount of things in the log makes it hard to find the things you are interested in, or something else that I can't think of in the moment? – Jenny D Jan 17 '19 at 07:26
  • Hi Jenny, it's really a combination of all of the issues you are describing. Performance on these servers is a big issue, and if the logs get too large due to them being very active, makes finding the relevant information very difficult. – Tbuermann Jan 17 '19 at 08:29
  • For finding the relevant information, `ausearch` might be a solution, though that doesn't help with the performance issues. – Jenny D Jan 17 '19 at 09:03
  • What do you want to audit and exclude, at a high level? What is the approximate event volume, which for syscalls you can profile: `perf stat -e 'syscalls:sys_enter_connect' -a sleep 10` – John Mahowald Jan 17 '19 at 12:38

0 Answers0