I can't seem to find a way to filter cron messages from auditd, no matter what rules I have in place. I'm using Ubuntu 18.04.3 LTS.
For example, even if my /etc/audit/audit.rules contains no rules:
-D
-b 8192
-f 1
--backlog_wait_time 60000
--loginuid-immutable
-c
-i
Or if I try to filter the cron messages with e.g. (taken from various examples, none of which work):
-a never,exit -F auid=0 -F exe=/usr/sbin/cron
-a never,exit -F auid=unset -F exe=/usr/sbin/cron
-a never,user -F subj_type=cron
-a never,user -F subj_type=crond_t
-a never,exit -F subj_type=crond_t
The following auditd messages are always logged every minute or so to /var/log/audit/audit.log:
type=USER_ACCT msg=audit(1576717621.342:13600): pid=12873 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1576717621.342:13601): pid=12873 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1576717621.342:13602): pid=12873 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2004 res=1
type=USER_START msg=audit(1576717621.342:13603): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1576717621.354:13604): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1576717621.354:13605): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
How do I go about disabling or filtering out these messages from audit?
