From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5533EC433B4 for ; Thu, 2 Sep 2021 16:03:04 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3B4486101A for ; Thu, 2 Sep 2021 16:03:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3B4486101A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=nebelschwaden.de Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-307-WuY-d-rRNheOKwcZUk4SdA-1; Thu, 02 Sep 2021 12:03:00 -0400 X-MC-Unique: WuY-d-rRNheOKwcZUk4SdA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2F8F7107ACE4; Thu, 2 Sep 2021 16:02:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 095C3100AE35; Thu, 2 Sep 2021 16:02:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 382F944A59; Thu, 2 Sep 2021 16:02:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 182G2qD9015863 for ; Thu, 2 Sep 2021 12:02:53 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8E8892028787; Thu, 2 Sep 2021 16:02:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8A1BB2028786 for ; Thu, 2 Sep 2021 16:02:49 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B2C898556F9 for ; Thu, 2 Sep 2021 16:02:49 +0000 (UTC) Received: from mail.worldserver.net (mail.worldserver.net [217.13.200.37]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-62-i2x66V2wP3q2N9z8akYd2g-1; Thu, 02 Sep 2021 12:02:47 -0400 X-MC-Unique: i2x66V2wP3q2N9z8akYd2g-1 Received: from postpony.nebelschwaden.de (v22018114346177759.hotsrv.de [194.55.14.20]) (Authenticated sender: postmaster@nebelschwaden.de) by mail.worldserver.net (Postfix) with ESMTPA id 7450E27C30 for ; Thu, 2 Sep 2021 17:54:12 +0200 (CEST) Received: from [172.16.37.5] (kaperfahrt.nebelschwaden.de [172.16.37.5]) by postpony.nebelschwaden.de (Postfix) with ESMTP id 652B6F0A6F for ; Thu, 2 Sep 2021 17:54:12 +0200 (CEST) To: linux-audit@redhat.com From: Ede Wolf Subject: audit.rules being really processed sequentially? Message-ID: Date: Thu, 2 Sep 2021 17:54:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: listac@nebelschwaden.de List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Hello, In my pursuit of taming auditd in that it only logs what has explicitly been defined and nothing more, I've thought of a set of catch all rules at the end. As the rules file is supposedly being processed sequentially, i.e. first hit matches, this ought to work. But it doesn't. Having a very simple rules file as an example: -D -e 1 -a exit,always -F arch=b64 -S execve -F path=/bin/vi -k EDIT_FILE -a always,exclude -F msgtype=EXECVE -a always,exclude -F msgtype=FD_PAIR -a always,exclude -F msgtype=FS_RELABEL ... (continue this for every messagetype from this link: https://access.redhat.com/articles/4409591#audit-record-types-2) As easily to be guessed, my expectation would be, the invokation of vi by anyone would get logged, as that rules comes first, but really nothing else, as it is being discaded by the catchall rules. Surprisingly however, in reality, nothing gets logged at all, not even the invocation of vi. Now, removing those catchall rules at the end does log the calling of vi, but of course also all other stuff I neither have defined nor want to be written out. So, if the audit.rules file really is being processed sequentally, what am I missing in my approach? Thanks very much for any insight. Ede -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit