From: Michael C Thompson <thompsmc@us.ibm.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Multiple Rule Logic
Date: Wed, 17 May 2006 10:30:32 -0500 [thread overview]
Message-ID: <446B4198.60008@us.ibm.com> (raw)
In-Reply-To: <200605161746.31757.sgrubb@redhat.com>
Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
>
> You have to consider the lists that they are on. Each list is evaluated from
> first to last. Any event that is created is sent to the exclude filter for
> potential action.
Alright, could you add some examples of using the exclude list to the
man page? It isn't clear how it's use is intended.
>> Examples:
>> entry,always -S chmod - should see a record for chmod
>> exclude,always -S all - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
>
> Yes. The exclude filter only removes records by message type.
>
> exclude,always -F msgtype=SYSCALL
>
> would be a valid use of it.
I just tested this, and I think, from what I understood of your above
statement, that it is not functioning correctly... here is my transcript.
# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]
Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 comm="chmod" exe="/bin/chmod"
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591): cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500"
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:sysadm_home_dir_t:s0
>> From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
>
> I suspect we should have an error when you try to load a rule like in you
> example.
Currently, no errors are returned. Here is the transcript of my
originally list above actions.
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all
Mike
prev parent reply other threads:[~2006-05-17 15:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-16 20:13 Multiple Rule Logic Michael C Thompson
2006-05-16 21:46 ` Steve Grubb
2006-05-17 15:30 ` Michael C Thompson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=446B4198.60008@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.