Multiple Rule Logic

Multiple Rule Logic

[Michael C Thompson]

Hey Steve,

I was wondering what is to be expected when multiple rules exist that 
pertain to the same action.

Examples:
entry,always -S chmod   - should see a record for chmod
exclude,always -S all   - should never see any sys calls

Combined, should I expect a chmod record?

 From my experiments with the current code, if any one rule instructs 
audit to log the action, auditd will log it (i.e. I'll see a chmod 
record). I'm wondering if this is the intended functionality.

Thanks,
Mike

Re: Multiple Rule Logic

[Steve Grubb]

On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
> I was wondering what is to be expected when multiple rules exist that
> pertain to the same action.

You have to consider the lists that they are on. Each list is evaluated from 
first to last. Any event that is created is sent to the exclude filter for 
potential action.

> Examples:
> entry,always -S chmod   - should see a record for chmod
> exclude,always -S all   - should never see any sys calls
>
> Combined, should I expect a chmod record?

Yes. The exclude filter only removes records by message type.

exclude,always -F msgtype=SYSCALL

would be a valid use of it.

>  From my experiments with the current code, if any one rule instructs
> audit to log the action, auditd will log it (i.e. I'll see a chmod
> record). I'm wondering if this is the intended functionality.

I suspect we should have an error when you try to load a rule like in you 
example.

-Steve

Re: Multiple Rule Logic

[Michael C Thompson]

Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
> 
> You have to consider the lists that they are on. Each list is evaluated from 
> first to last. Any event that is created is sent to the exclude filter for 
> potential action.

Alright, could you add some examples of using the exclude list to the 
man page? It isn't clear how it's use is intended.

>> Examples:
>> entry,always -S chmod   - should see a record for chmod
>> exclude,always -S all   - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
> 
> Yes. The exclude filter only removes records by message type.
> 
> exclude,always -F msgtype=SYSCALL
> 
> would be a valid use of it.

I just tested this, and I think, from what I understood of your above 
statement, that it is not functioning correctly... here is my transcript.

# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]

Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15 
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211 
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts4 comm="chmod" exe="/bin/chmod" 
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591):  cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500" 
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00 
obj=root:object_r:sysadm_home_dir_t:s0


>>  From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
> 
> I suspect we should have an error when you try to load a rule like in you 
> example.

Currently, no errors are returned. Here is the transcript of my 
originally list above actions.

# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all


Mike