My auditd rules and my needs are fairly simple, I want only to log root actions.
# auditctl -l
-a always,exit -S all -F euid=0 -F perm=x -F key=ROOT_ACTION
That is the only rule, and it works:
type=SYSCALL msg=audit(1550318220.514:11479): arch=c000003e syscall=59 success=yes exit=0 a0=56002fde79a8 a1=56002fdeffc8 a2=56002fdee3a0 a3=0 items=2 ppid=7250 pid=7251 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="tail" exe="/usr/bin/tail" key="ROOT_ACTION"
However I also have apparmor profiles to explicitly deny certain apps privileges they do not need. This is deliberate and works as expected. However they result in my auditd.log being spammed up with stuff like:
type=AVC msg=audit(1550309442.438:207): apparmor="DENIED" operation="exec" profile="/usr/lib/slack/slack" name="/bin/dash" pid=2893 comm="slack" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As you see that's being executed by Slack running as a non-root user, isn't being caught by my ROOT_ACTION auditd rule.
It does this a LOT:
# cat /var/log/audit/*| egrep apparmor | wc -l
40574
That's in less than 24 hours.
I realise I could use aureport and ausearch or a myriad of other methods to filter what I see. However I would prefer not to introduce the bias of only finding the weirdness I was expecting, because it's the unexpected that worries me.
So, how can I:
- stop auditd from appending these events to /var/log/audit/audit.log?
- prevent apparmor from logging denied activities in the context of an individual profile (not globally) (UPDATE, Hargut's answer below addresses this, the solution is to explicitly use 'deny' which does not log)
Help!