linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Ede Wolf <listac@nebelschwaden.de>
To: linux-audit@redhat.com
Subject: audit.rules being really processed sequentially?
Date: Thu, 2 Sep 2021 17:54:12 +0200	[thread overview]
Message-ID: <aa217367-1ee5-8861-eeeb-33190406908e@nebelschwaden.de> (raw)

Hello,


In my pursuit of taming auditd in that it only logs what has explicitly 
been defined and nothing more, I've thought of a set of catch all rules 
at the end. As the rules file is supposedly being processed 
sequentially, i.e. first hit matches, this ought to work. But it doesn't.

Having a very simple rules file as an example:

-D
-e 1

-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k EDIT_FILE

-a always,exclude -F msgtype=EXECVE
-a always,exclude -F msgtype=FD_PAIR
-a always,exclude -F msgtype=FS_RELABEL
...

(continue this for every messagetype from this link:

  https://access.redhat.com/articles/4409591#audit-record-types-2)

As easily to be guessed, my expectation would be, the invokation of vi 
by anyone would get logged, as that rules comes first, but really 
nothing else, as it is being discaded by the catchall rules.

Surprisingly however, in reality, nothing gets logged at all, not even 
the invocation of vi.

Now, removing those catchall rules at the end does log the calling of 
vi, but of course also all other stuff I neither  have defined nor want 
to be written out.

So, if the audit.rules file really is being processed sequentally, what 
am I missing in my approach?


Thanks very much for any insight.


Ede

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


             reply	other threads:[~2021-09-02 16:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 15:54 Ede Wolf [this message]
2021-09-02 16:21 ` Steve Grubb
2021-09-05  8:04   ` Ede Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa217367-1ee5-8861-eeeb-33190406908e@nebelschwaden.de \
    --to=listac@nebelschwaden.de \
    --cc=linux-audit@redhat.com \
    --subject='Re: audit.rules being really processed sequentially?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).