From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Ameel Kamboh" <akamboh@nortel.com>
Subject: Audit with path exception rule
Date: Mon, 23 Jul 2007 10:25:22 -0500
Message-ID: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0359311464=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6NFXRUk019786
	for <linux-audit@redhat.com>; Mon, 23 Jul 2007 11:33:27 -0400
Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6NFXJOd027754
	for <linux-audit@redhat.com>; Mon, 23 Jul 2007 11:33:20 -0400
Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com
	[47.103.123.73])
	by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id
	l6NFPhm24006
	for <linux-audit@redhat.com>; Mon, 23 Jul 2007 15:25:43 GMT
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0359311464==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C7CD3D.AFFEE64C"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7CD3D.AFFEE64C
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I would like to audit the file system for anyone creating new files
However I would like to exclude a directory from the watch list.

Here is the sample I have:

#3.     create/Remove any files
-a exit,always -S creat  -F path!=3D/var/myApp   <--- line 21
-a exit,always -S unlink -F path!=3D/var/myApp

This is giving me the following error:

auditctl -R test.rules
No rules
AUDIT_STATUS: enabled=3D1 flag=3D1 pid=3D3413 rate_limit=3D0 =
backlog_limit=3D1024
lost=3D0 backlog=3D0
Error sending add rule data request (Invalid argument)
There was an error in line 21 of test.rules

Ameel Kamboh
SIP Core Network and Security=20
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com




------_=_NextPart_001_01C7CD3D.AFFEE64C
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>Audit with path exception rule</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">I would like to audit the file system =
for anyone creating new files</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">However I would like to exclude a =
directory from the watch list.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Here is the sample I have:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">#3.&nbsp;&nbsp;&nbsp;&nbsp; =
create/Remove any files</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-a exit,always -S creat&nbsp; -F =
path!=3D/var/myApp&nbsp;&nbsp; &lt;--- line 21</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">-a exit,always -S unlink -F =
path!=3D/var/myApp</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">This is giving me the following =
error:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">auditctl -R test.rules</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">No rules</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">AUDIT_STATUS: enabled=3D1 flag=3D1 =
pid=3D3413 rate_limit=3D0 backlog_limit=3D1024 lost=3D0 =
backlog=3D0</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Error sending add rule data request =
(Invalid argument)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">There was an error in line 21 of =
test.rules</FONT>
</P>

<P><B><I><SPAN LANG=3D"ko"><FONT COLOR=3D"#008080" FACE=3D"Batang">Ameel =
Kamboh</FONT></SPAN></I></B>

<BR><I><SPAN LANG=3D"en-us"><FONT COLOR=3D"#800000" SIZE=3D2 =
FACE=3D"Arial">SIP Core</FONT></SPAN></I><SPAN LANG=3D"en-us"><FONT =
COLOR=3D"#800000" SIZE=3D2 FACE=3D"Arial"> Network and Security =
</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Phone</FONT><FONT SIZE=3D2 FACE=3D"Arial">: 972.685.4922 =
(esn 445-4922)</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">Mobile</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
978-590-2280</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">SIP</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
akamboh@techtrial.com</FONT></SPAN>

<BR><SPAN LANG=3D"fr"><FONT COLOR=3D"#FF0000" SIZE=3D2 =
FACE=3D"Arial">email</FONT><FONT SIZE=3D2 FACE=3D"Arial">: =
</FONT></SPAN><A HREF=3D"mailto:akamboh@nortel.com"><SPAN =
LANG=3D"fr"><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">akamboh@nortel.com</FONT></U></SPAN></A><SPAN =
LANG=3D"fr"></SPAN><SPAN LANG=3D"en-us"></SPAN>
</P>
<BR>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C7CD3D.AFFEE64C--


--===============0359311464==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0359311464==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit with path exception rule
Date: Tue, 24 Jul 2007 15:47:59 -0400
Message-ID: <200707241548.00142.sgrubb@redhat.com>
References: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, Alexander Viro <aviro@redhat.com>
List-Id: linux-audit@redhat.com

On Monday 23 July 2007 11:25:22 am Ameel Kamboh wrote:
> I would like to audit the file system for anyone creating new files
> However I would like to exclude a directory from the watch list.
>
> Here is the sample I have:
>
> #3.     create/Remove any files
> -a exit,always -S creat  -F path!=/var/myApp   <--- line 21
> -a exit,always -S unlink -F path!=/var/myApp

I was hoping one of the kernel people was going to jump in with an answer 
here. I have a feeling that the kernel doesn't allow it. I think it would be 
trivial to patch the kernel to allow this and we should. The rule you are 
trying to express seems reasonable to me.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Viro <aviro@redhat.com>
Subject: Re: Audit with path exception rule
Date: Tue, 14 Aug 2007 15:12:25 -0400
Message-ID: <20070814191225.GA14077@devserv.devel.redhat.com>
References: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
	<200707241548.00142.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <200707241548.00142.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, Jul 24, 2007 at 03:47:59PM -0400, Steve Grubb wrote:
> On Monday 23 July 2007 11:25:22 am Ameel Kamboh wrote:
> > I would like to audit the file system for anyone creating new files
> > However I would like to exclude a directory from the watch list.
> >
> > Here is the sample I have:
> >
> > #3.     create/Remove any files
> > -a exit,always -S creat  -F path!=/var/myApp   <--- line 21
> > -a exit,always -S unlink -F path!=/var/myApp
> 
> I was hoping one of the kernel people was going to jump in with an answer 
> here. I have a feeling that the kernel doesn't allow it. I think it would be 
> trivial to patch the kernel to allow this and we should. The rule you are 
> trying to express seems reasonable to me.

The problem with that is simple - for that kind of rules we lose hash-based
overhead reduction we have for watches.

Basically, we distribute AUDIT_WATCH rules into a bunch of lists, by
hash(inumber(watched object)).  At match time we can skip most of them
immediately, by not walking every list.

Negative rules like that would have to go into "the rest" list and its
length is rather sensitive for overhead...