From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Re: Multiple Rule Logic
Date: Wed, 17 May 2006 10:30:32 -0500
Message-ID: <446B4198.60008@us.ibm.com>
References: <446A326C.1070600@us.ibm.com>
	<200605161746.31757.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200605161746.31757.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
> 
> You have to consider the lists that they are on. Each list is evaluated from 
> first to last. Any event that is created is sent to the exclude filter for 
> potential action.

Alright, could you add some examples of using the exclude list to the 
man page? It isn't clear how it's use is intended.

>> Examples:
>> entry,always -S chmod   - should see a record for chmod
>> exclude,always -S all   - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
> 
> Yes. The exclude filter only removes records by message type.
> 
> exclude,always -F msgtype=SYSCALL
> 
> would be a valid use of it.

I just tested this, and I think, from what I understood of your above 
statement, that it is not functioning correctly... here is my transcript.

# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]

Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15 
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211 
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts4 comm="chmod" exe="/bin/chmod" 
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591):  cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500" 
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00 
obj=root:object_r:sysadm_home_dir_t:s0


>>  From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
> 
> I suspect we should have an error when you try to load a rule like in you 
> example.

Currently, no errors are returned. Here is the transcript of my 
originally list above actions.

# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all


Mike