linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Ede Wolf <listac@nebelschwaden.de>
To: linux-audit@redhat.com
Subject: Re: audit.rules being really processed sequentially?
Date: Sun, 5 Sep 2021 10:04:12 +0200	[thread overview]
Message-ID: <9a1baf86-c01b-e56d-9923-ddd86673bccc@nebelschwaden.de> (raw)
In-Reply-To: <3130208.aeNJFYEL58@x2>

Thanks very much for your help and heads up, even though of course bad news.

Ede

Am 02.09.21 um 18:21 schrieb Steve Grubb:
> On Thursday, September 2, 2021 11:54:12 AM EDT Ede Wolf wrote:
>> In my pursuit of taming auditd in that it only logs what has explicitly
>> been defined and nothing more, I've thought of a set of catch all rules
>> at the end. As the rules file is supposedly being processed
>> sequentially, i.e. first hit matches, this ought to work. But it doesn't.
>>
>> Having a very simple rules file as an example:
>>
>> -D
>> -e 1
>>
>> -a exit,always -F arch=b64 -S execve -F path=/bin/vi -k EDIT_FILE
>>
>> -a always,exclude -F msgtype=EXECVE
>> -a always,exclude -F msgtype=FD_PAIR
>> -a always,exclude -F msgtype=FS_RELABEL
>> ...
>>
>> (continue this for every messagetype from this link:
>>
>>    https://access.redhat.com/articles/4409591#audit-record-types-2)
>>
>> As easily to be guessed, my expectation would be, the invokation of vi
>> by anyone would get logged, as that rules comes first, but really
>> nothing else, as it is being discaded by the catchall rules.
>>
>> Surprisingly however, in reality, nothing gets logged at all, not even
>> the invocation of vi.
>>
>> Now, removing those catchall rules at the end does log the calling of
>> vi, but of course also all other stuff I neither  have defined nor want
>> to be written out.
>>
>> So, if the audit.rules file really is being processed sequentally, what
>> am I missing in my approach?
> 
> It might be useful to look at slide 15 of this:
> 
> http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf
> 
> The output of the rule matching engine gets fed to the exclude filter for a
> second look. The exclude filter then drops objectionable records. In your
> case, it its told to drop everything.
> 
> Audit records in the 1300 block are related to rules. You need to let all of
> them through.
> 
> -Steve
> 
> 

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


      reply	other threads:[~2021-09-05  8:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 15:54 Ede Wolf
2021-09-02 16:21 ` Steve Grubb
2021-09-05  8:04   ` Ede Wolf [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9a1baf86-c01b-e56d-9923-ddd86673bccc@nebelschwaden.de \
    --to=listac@nebelschwaden.de \
    --cc=linux-audit@redhat.com \
    --subject='Re: audit.rules being really processed sequentially?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).