suppress log entries, how?

suppress log entries, how?

[Marko Weber | 8000]

good morning list,

i installed auditd on my gentoo server.
installation runs without error, but on start i get this:

# /etc/init.d/auditd start
  * Starting auditd ...                                                   
                                                                          
                                                                          
                                               [ ok ]
touch: cannot touch '/var/lock/subsys/auditd': No such file or directory
  * Loading audit rules from /etc/audit/audit.rules

seems /var/lock/ `subsys/auditd` is missing.
that was easy to fix, but has to be repeated after every reboot.


in auditd.log i get entries like this:

type=NETFILTER_CFG msg=audit(1412022284.553:2446): table=mangle family=2 
entries=6
type=SYSCALL msg=audit(1412022284.553:2446): arch=c000003e syscall=54 
success=yes exit=0 a0=4 a1=0 a2=40 a3=1144850 items=0 ppid=2070 pid=2130 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" 
key=(null)

i want to suppress these messages.
in my understanding of the man page i have to put such a rule into 
audit.rules:

-a exclude,never -F msgtype=NETFILTER_CFG , but this isnt working. the 
messages still appears.

my config of my fresh auditd install:

# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D

# Feel free to add below this line. See auditctl man page

-a exclude,never -F msgtype=NETFILTER_CFG

# The following rule would cause all of the syscalls listed to be 
ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S 
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S 
stat
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S 
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S 
stat
-a exclude,never -F msgtype=NETFILTER_CFG

# The following rule would cause the capture of all systems not caught 
above.
# -a exit,always -S all

# Increase the buffers to survive stress events
-b 8192

# lock the audit configuration to prevent any modification of this file.
-e 2




i installed audit 2.2.2-r2 on gentoo if this is of intzerest.


thank you

marko





-- 
zbfmail - Mittendrin statt nur Datei!

Re: suppress log entries, how?

[Steve Grubb]

On Wednesday, October 01, 2014 08:46:18 AM Marko Weber | 8000 wrote:
> good morning list,
> 
> i installed auditd on my gentoo server.
> installation runs without error, but on start i get this:
> 
> # /etc/init.d/auditd start
>   * Starting auditd ...
> 
>                                                [ ok ]
> touch: cannot touch '/var/lock/subsys/auditd': No such file or directory
>   * Loading audit rules from /etc/audit/audit.rules
> 
> seems /var/lock/ `subsys/auditd` is missing.
> that was easy to fix, but has to be repeated after every reboot.
> 
> 
> in auditd.log i get entries like this:
> 
> type=NETFILTER_CFG msg=audit(1412022284.553:2446): table=mangle family=2
> entries=6
> type=SYSCALL msg=audit(1412022284.553:2446): arch=c000003e syscall=54
> success=yes exit=0 a0=4 a1=0 a2=40 a3=1144850 items=0 ppid=2070 pid=2130
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi"
> key=(null)
> 
> i want to suppress these messages.
> in my understanding of the man page i have to put such a rule into
> audit.rules:
> 
> -a exclude,never -F msgtype=NETFILTER_CFG , but this isnt working. the
> messages still appears.

Note that this says "never exclude"  :-)  I think you want -a exclude,always. 
Give that a try.

-Steve