From: Steve Grubb <sgrubb@redhat.com>
To: Linux-audit@redhat.com, Andreas Hasenack <andreas@canonical.com>
Subject: Re: -a never,exit still being logged
Date: Thu, 19 Nov 2020 13:52:47 -0500 [thread overview]
Message-ID: <5560785.MhkbZ0Pkbq@x2> (raw)
In-Reply-To: <CANYNYEEYUsU8BGj7E+=T=jyrkxVn1x60qipf8rvk1Oi6DPquyg@mail.gmail.com>
On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> Hi,
>
> continuing my experiments in trying to reduce the auditd noise, I have
> these two rules:
>
> # auditctl -l
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/iptables -F auid=-1
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/xtables-multi -F auid=-1
>
> I did use -F auid=4294967295 in the rules file, and auditd seems to
> have understood that correctly as it's showing -1 in the rules list.
>
> But this event is still being logged:
> type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
> family=2 entries=281
> type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
> success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
> pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
> exe="/sbin/xtables-multi" key=(null)
> type=PROCTITLE msg=audit(1605810940.198:1089):
> proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D7665726
> 26F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030
>
> Same event, decoded with ausearch -i:
> ----
> type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
> proctitle=iptables-restore --noflush --verbose --wait 10
> --wait-interval 50000
> type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
> syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
> a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
> exe=/sbin/xtables-multi key=(null)
> type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
> table=filter family=ipv4 entries=281
> ----
>
> Why is it being logged, given that it matches the second (and last) rule I
> have?
These two events are considered kernel configuration changes. Which means that
they do not originate via the SYSCALL rule engine. The -a never,exit
technique works only when the event is generated as a result of other SYSCALL
rules. Normally you would place that higher up so it matches first.
In this case, what you would want to do is suppress it using the exclude
filter:
-a always,exclude -F msgtype=NETFILTER_CFG
That should fix it.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-11-19 18:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 18:43 -a never,exit still being logged Andreas Hasenack
2020-11-19 18:52 ` Steve Grubb [this message]
2020-11-19 18:59 ` Andreas Hasenack
2020-11-19 19:54 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5560785.MhkbZ0Pkbq@x2 \
--to=sgrubb@redhat.com \
--cc=Linux-audit@redhat.com \
--cc=andreas@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox