archive mirror
 help / color / mirror / Atom feed
From: Ede Wolf <>
Subject: Re: audit.rules being really processed sequentially?
Date: Sun, 5 Sep 2021 10:04:12 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <3130208.aeNJFYEL58@x2>

Thanks very much for your help and heads up, even though of course bad news.


Am 02.09.21 um 18:21 schrieb Steve Grubb:
> On Thursday, September 2, 2021 11:54:12 AM EDT Ede Wolf wrote:
>> In my pursuit of taming auditd in that it only logs what has explicitly
>> been defined and nothing more, I've thought of a set of catch all rules
>> at the end. As the rules file is supposedly being processed
>> sequentially, i.e. first hit matches, this ought to work. But it doesn't.
>> Having a very simple rules file as an example:
>> -D
>> -e 1
>> -a exit,always -F arch=b64 -S execve -F path=/bin/vi -k EDIT_FILE
>> -a always,exclude -F msgtype=EXECVE
>> -a always,exclude -F msgtype=FD_PAIR
>> -a always,exclude -F msgtype=FS_RELABEL
>> ...
>> (continue this for every messagetype from this link:
>> As easily to be guessed, my expectation would be, the invokation of vi
>> by anyone would get logged, as that rules comes first, but really
>> nothing else, as it is being discaded by the catchall rules.
>> Surprisingly however, in reality, nothing gets logged at all, not even
>> the invocation of vi.
>> Now, removing those catchall rules at the end does log the calling of
>> vi, but of course also all other stuff I neither  have defined nor want
>> to be written out.
>> So, if the audit.rules file really is being processed sequentally, what
>> am I missing in my approach?
> It might be useful to look at slide 15 of this:
> The output of the rule matching engine gets fed to the exclude filter for a
> second look. The exclude filter then drops objectionable records. In your
> case, it its told to drop everything.
> Audit records in the 1300 block are related to rules. You need to let all of
> them through.
> -Steve

Linux-audit mailing list

      reply	other threads:[~2021-09-05  8:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 15:54 Ede Wolf
2021-09-02 16:21 ` Steve Grubb
2021-09-05  8:04   ` Ede Wolf [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \
    --subject='Re: audit.rules being really processed sequentially?' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).