What is expected: exclude action on the never list?

What is expected: exclude action on the never list?

[Michael C Thompson]

Hey Steve,

I'm doing some testing (a rare occurrence I know), and I've noticed that 
  when the active rules are:

auditctl -a entry,always -S chmod
auditctl -a exclude,always -F msgtype=SYSCALL

The chmod actions are not logged. Now this is what I would expect to 
happen when just reading those lines, not knowing about the internal 
workings of audit. However, if the rules are

auditctl -a entry,always -S chmod
auditctl -a exclude,never -F msgtype=SYSCALL

the chmod actions are not logged either. I would read the second rule as 
saying "do not exclude messages of type SYSCALL". Is this a correct 
interpretation of the rule?

Thanks,
Mike

Re: What is expected: exclude action on the never list?

[Steve Grubb]

On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
> I would read the second rule as saying "do not exclude messages of type
> SYSCALL". Is this a correct interpretation of the rule?

That sounds reasonable, but I don't think that's what the kernel does. Maybe 
it should be corrected. I think its a 1 or 2 liner.

-Steve

Re: What is expected: exclude action on the never list?

[Linda Knippers]

Steve Grubb wrote:
> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
> 
>>I would read the second rule as saying "do not exclude messages of type
>>SYSCALL". Is this a correct interpretation of the rule?
> 
> 
> That sounds reasonable, but I don't think that's what the kernel does. Maybe 
> it should be corrected. I think its a 1 or 2 liner.

According to the manpage, I'd say the kernel is behaving as expected.

"Never" means never generate an audit record and "exclude" means even if
one was generated, it should be excluded.  The two options together are
somewhat redundant but I don't think "never" was intended to mean "never
do what the previous option just said to do", at least not according to
the manpage.

-- ljk

Re: What is expected: exclude action on the never list?

[Michael C Thompson]

Linda Knippers wrote:
> Steve Grubb wrote:
>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>
>>> I would read the second rule as saying "do not exclude messages of type
>>> SYSCALL". Is this a correct interpretation of the rule?
>>
>> That sounds reasonable, but I don't think that's what the kernel does. Maybe 
>> it should be corrected. I think its a 1 or 2 liner.
> 
> According to the manpage, I'd say the kernel is behaving as expected.
> 
> "Never" means never generate an audit record and "exclude" means even if
> one was generated, it should be excluded.  The two options together are
> somewhat redundant but I don't think "never" was intended to mean "never
> do what the previous option just said to do", at least not according to
> the manpage.

Agreed. The wording is... confusing when compared to the rule. I guess 
the real question which needs to be answered is "Do we need to be able 
to force the capture of a rule?"... since audit by default does not 
audit anything, and you have to explicitly add filters, I would say "no" 
to this question.

That said, I think we should leave "exclude,always" as is, and either 
change the man page to say something about "exclude,never" being the 
same as "exclude,always", _or_ change the userspace to indicate that 
"exclude,never" doesn't make sense.

Thanks,
Mike

Re: What is expected: exclude action on the never list?

[Linda Knippers]

Michael C Thompson wrote:
> Linda Knippers wrote:
> 
>> Steve Grubb wrote:
>>
>>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>>
>>>> I would read the second rule as saying "do not exclude messages of type
>>>> SYSCALL". Is this a correct interpretation of the rule?
>>>
>>>
>>> That sounds reasonable, but I don't think that's what the kernel
>>> does. Maybe it should be corrected. I think its a 1 or 2 liner.
>>
>>
>> According to the manpage, I'd say the kernel is behaving as expected.
>>
>> "Never" means never generate an audit record and "exclude" means even if
>> one was generated, it should be excluded.  The two options together are
>> somewhat redundant but I don't think "never" was intended to mean "never
>> do what the previous option just said to do", at least not according to
>> the manpage.
> 
> 
> Agreed. The wording is... confusing when compared to the rule. I guess
> the real question which needs to be answered is "Do we need to be able
> to force the capture of a rule?"... since audit by default does not
> audit anything, and you have to explicitly add filters, I would say "no"
> to this question.
> 
> That said, I think we should leave "exclude,always" as is, and either
> change the man page to say something about "exclude,never" being the
> same as "exclude,always", _or_ change the userspace to indicate that
> "exclude,never" doesn't make sense.

I'm not sure "always" makes sense either, at least not as described in
the manpage since it says to always write out record at syscall exit
time.

-- ljk

Re: What is expected: exclude action on the never list?

[Michael C Thompson]

Linda Knippers wrote:
> Michael C Thompson wrote:
>> Linda Knippers wrote:
>>
>>> Steve Grubb wrote:
>>>
>>>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>>>
>>>>> I would read the second rule as saying "do not exclude messages of type
>>>>> SYSCALL". Is this a correct interpretation of the rule?
>>>>
>>>> That sounds reasonable, but I don't think that's what the kernel
>>>> does. Maybe it should be corrected. I think its a 1 or 2 liner.
>>>
>>> According to the manpage, I'd say the kernel is behaving as expected.
>>>
>>> "Never" means never generate an audit record and "exclude" means even if
>>> one was generated, it should be excluded.  The two options together are
>>> somewhat redundant but I don't think "never" was intended to mean "never
>>> do what the previous option just said to do", at least not according to
>>> the manpage.
>>
>> Agreed. The wording is... confusing when compared to the rule. I guess
>> the real question which needs to be answered is "Do we need to be able
>> to force the capture of a rule?"... since audit by default does not
>> audit anything, and you have to explicitly add filters, I would say "no"
>> to this question.
>>
>> That said, I think we should leave "exclude,always" as is, and either
>> change the man page to say something about "exclude,never" being the
>> same as "exclude,always", _or_ change the userspace to indicate that
>> "exclude,never" doesn't make sense.
> 
> I'm not sure "always" makes sense either, at least not as described in
> the manpage since it says to always write out record at syscall exit
> time.

So it sounds like the man page needs to be reworded... if I think of 
anything clear and enlightening, I will pass it on.

I think that the "exclude,always" construct (outside of what the man 
page says) has inherent meaning, so I would leave it as is. Would you 
agree that changing the "exclude,never" to be invalidated in userspace 
makes sense?

Mike