Disable cron messages in auditd

I can't seem to find a way to filter cron messages from auditd, no matter what rules I have in place. I'm using Ubuntu 18.04.3 LTS.

For example, even if my /etc/audit/audit.rules contains no rules:

-D
-b 8192
-f 1
--backlog_wait_time 60000
--loginuid-immutable
-c
-i

Or if I try to filter the cron messages with e.g. (taken from various examples, none of which work):

-a never,exit -F auid=0 -F exe=/usr/sbin/cron
-a never,exit -F auid=unset -F exe=/usr/sbin/cron
-a never,user -F subj_type=cron
-a never,user -F subj_type=crond_t
-a never,exit -F subj_type=crond_t

The following auditd messages are always logged every minute or so to /var/log/audit/audit.log:

type=USER_ACCT msg=audit(1576717621.342:13600): pid=12873 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1576717621.342:13601): pid=12873 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1576717621.342:13602): pid=12873 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2004 res=1
type=USER_START msg=audit(1576717621.342:13603): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1576717621.354:13604): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1576717621.354:13605): pid=12873 uid=0 auid=0 ses=2004 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

How do I go about disabling or filtering out these messages from audit?

Solution 1:

see https://lists.fedoraproject.org/pipermail/users/2015-July/463114.html (by David A. De Graaf)

In short, some of these may do what you want:

-a exclude,always -F msgtype=MAC_IPSEC_EVENT
-a exclude,always -F msgtype=USER_AUTH
-a exclude,always -F msgtype=USER_ACCT
-a exclude,always -F msgtype=CRED_REFR
-a exclude,always -F msgtype=CRED_DISP
-a exclude,always -F msgtype=CRED_ACQ
-a exclude,always -F msgtype=USER_START
-a exclude,always -F msgtype=USER_END
-a exclude,always -F msgtype=SERVICE_START

Solution 2:

The following rule solved this issue on my CentOS 7 system:

-a never,user -F subj_type=crond_t

Note that SELinux has to be enabled to make this rule work.

Disable cron messages in auditd

Solution 1:

Solution 2:

Related

Recent Posts