MAC_IPSEC_EVENT Logged without rules

MAC_IPSEC_EVENT Logged without rules

[Diego Woitasen]

Hi,
 I have a machine with IPSEC running (Strongswan) and audit to
register some user events. The weird thing is that I'm getting this
messages logged without having any rule:

Jan  6 00:21:43 nodovpn668 audispd: node=nodovpn668
type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound
src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15)
seqno=1463943698

My workaround is:  auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT

Bug or Am I missing something?

Regards,
 Diego

-- 
Diego Woitasen

Re: MAC_IPSEC_EVENT Logged without rules

[Steve Grubb]

On Thursday, January 05, 2012 10:26:10 PM Diego Woitasen wrote:
> Hi,
>  I have a machine with IPSEC running (Strongswan) and audit to
> register some user events. The weird thing is that I'm getting this
> messages logged without having any rule:
> 
> Jan  6 00:21:43 nodovpn668 audispd: node=nodovpn668
> type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound
> src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15)
> seqno=1463943698
> 
> My workaround is:  auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT
> 
> Bug or Am I missing something?

This is correct. There are 2 kinds of events: mandatory and discretionary. There 
are a number of user space and kernel events that are generated no matter what, 
like a user logging into a machine. But there are also some events that the 
admin may not want and they need to be excluded. So, adding an exclude rule is 
the right thing to do if you don't want them.

-Steve