From: Michael C Thompson <thompsmc@us.ibm.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Multiple Rule Logic
Date: Wed, 17 May 2006 10:30:32 -0500 [thread overview]
Message-ID: <446B4198.60008@us.ibm.com> (raw)
In-Reply-To: <200605161746.31757.sgrubb@redhat.com>
Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
>
> You have to consider the lists that they are on. Each list is evaluated from
> first to last. Any event that is created is sent to the exclude filter for
> potential action.
Alright, could you add some examples of using the exclude list to the
man page? It isn't clear how it's use is intended.
>> Examples:
>> entry,always -S chmod - should see a record for chmod
>> exclude,always -S all - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
>
> Yes. The exclude filter only removes records by message type.
>
> exclude,always -F msgtype=SYSCALL
>
> would be a valid use of it.
I just tested this, and I think, from what I understood of your above
statement, that it is not functioning correctly... here is my transcript.
# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]
Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 comm="chmod" exe="/bin/chmod"
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591): cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500"
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:sysadm_home_dir_t:s0
>> From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
>
> I suspect we should have an error when you try to load a rule like in you
> example.
Currently, no errors are returned. Here is the transcript of my
originally list above actions.
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all
Mike
prev parent reply other threads:[~2006-05-17 15:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-16 20:13 Multiple Rule Logic Michael C Thompson
2006-05-16 21:46 ` Steve Grubb
2006-05-17 15:30 ` Michael C Thompson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=446B4198.60008@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox