• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Ignore/Disable Specific auditd Logging Entries

by admin

When you enable auditd logging on a Linux system, the generation of logs can be overwhelming. Some customer may want to disable an auditd entries related a specific command/SYSCALL. For example, below entries are being logged by auditd ( /var/log/messages )

type=CWD msg=audit(1464664627.639:1858714): cwd="/u01/app/oracle/emagent/12.1.0.3/agent_inst/sysman/emd"
type=PATH msg=audit(1464664627.639:1858714): item=0 name="/u01/app/oracle/emagent/12.1.0.3/agent_inst/sysman/emd/upload/upload/stream0/" inode=17910851 dev=fc:03 mode=040740 ouid=1000 ogid=1001 rdev=00:00
type=PATH msg=audit(1464664627.639:1858714): item=1 name="/u01/app/oracle/emagent/12.1.0.3/agent_inst/sysman/emd/upload/upload/stream0/D_P4_S0_I174383.xml" inode=17913267 dev=fc:03 mode=0100640 ouid=1000 ogid=1001 rdev=00:00
type=SYSCALL msg=audit(1464664627.639:1858715): arch=c000003e syscall=87 per=400000 success=yes exit=0 a0=7f8b5c002180 a1=180 a2=7f8b5c002180 a3=7f8e9e1e3278 items=2 ppid=31951 pid=34940 auid=1075 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=17377 comm="java" exe="/u01/app/oracle/emagent/12.1.0.3/core/12.1.0.5.0/jdk/bin/java" key="delete"
Customer would like to disable them as they are not necessary to be logged-in.

Disabling specific auditd logging entries

1. Easiest way to do is to simply disable path from Logging for example:

-W never,exclude -F path=/u01/app/oracle/emagent/12.1.0.3/ -k exclude

Above will exclude path /u01/app/oracle/emagent/12.1.0.3/ from being logged by auditd

2. Or simply disable separate rules by following below examples:

-W never,exclude -F exe=/u01/app/oracle/emagent/12.1.0.3/core/12.1.0.5.0/jdk/bin/java -k exclude
-W never,exclude -F cwd=/u01/app/oracle/emagent/12.1.0.3/agent_inst/sysman/emd -k exclude
-W never,exclude -F inode=17910851 -k exclude
-W never,exclude -F inode=17913267 -k exclude

Above entries examples uses option like inode/exe/cwd

3. File which needs to be edited to add all above rules is located in- /etc/audit/audit.rules. Make sure you also comment in audit.rules below entry:

# Make the configuration immutable -- reboot is required to change audit rules
#-e 2

4. Reboot will be required if “-e 2” was enabled. In normal cases simply restart auditd service:

# service auditd restart

For more information and examples of auditd rule, check the man page of auditctl.

# man auditctl
Can you exclude specific processes when using auditd to audit syscalls?
How to exclude specific users, groups, or services with Auditd to audit syscalls
How to exclude a file/directory from auditd rules

Filed Under: CentOS/RHEL 5, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to Re-Balance BTRFS to Free Disk Space
  2. Reducing/Limiting the CPUs in CentOS/RHEL 5,6
  3. CentOS / RHEL 7 : How to configure kdump
  4. CentOS / RHEL : Managing password ageing for users using chage (with practical Examples)
  5. Replacing a Failed Mirror Disk in a Software RAID Array (mdadm)
  6. How to delete a non-root use with UID 0 in Linux
  7. Extend the Size of /boot Partition on XFS Filesystem (CentOS/RHEL 7)
  8. iostat Command Examples in Linux
  9. setenforce Command Examples in Linux
  10. The ultimate Linux interview questions : swap

You May Also Like

Primary Sidebar

Recent Posts

  • qemu-system-x86_64: command not found
  • timedatectl: command not found
  • mpirun.openmpi: command not found
  • startkde: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright