From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: MAC_IPSEC_EVENT Logged without rules
Date: Mon, 9 Jan 2012 11:46:15 -0500
Message-ID: <201201091146.16206.sgrubb@redhat.com>
References: <CAA7Uhc=FLnwShGFx51yinXsrgPhKxkKrrkK-Nwv=PJGsCKryMw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAA7Uhc=FLnwShGFx51yinXsrgPhKxkKrrkK-Nwv=PJGsCKryMw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, January 05, 2012 10:26:10 PM Diego Woitasen wrote:
> Hi,
>  I have a machine with IPSEC running (Strongswan) and audit to
> register some user events. The weird thing is that I'm getting this
> messages logged without having any rule:
> 
> Jan  6 00:21:43 nodovpn668 audispd: node=nodovpn668
> type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound
> src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15)
> seqno=1463943698
> 
> My workaround is:  auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT
> 
> Bug or Am I missing something?

This is correct. There are 2 kinds of events: mandatory and discretionary. There 
are a number of user space and kernel events that are generated no matter what, 
like a user logging into a machine. But there are also some events that the 
admin may not want and they need to be excluded. So, adding an exclude rule is 
the right thing to do if you don't want them.

-Steve