public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* -a never,exit still being logged
@ 2020-11-19 18:43 Andreas Hasenack
  2020-11-19 18:52 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Hasenack @ 2020-11-19 18:43 UTC (permalink / raw)
  To: Linux-audit

Hi,

continuing my experiments in trying to reduce the auditd noise, I have
these two rules:

# auditctl -l
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/iptables -F auid=-1
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/xtables-multi -F auid=-1

I did use -F auid=4294967295 in the rules file, and auditd seems to
have understood that correctly as it's showing -1 in the rules list.

But this event is still being logged:
type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
family=2 entries=281
type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
exe="/sbin/xtables-multi" key=(null)
type=PROCTITLE msg=audit(1605810940.198:1089):
proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D766572626F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030

Same event, decoded with ausearch -i:
----
type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
proctitle=iptables-restore --noflush --verbose --wait 10
--wait-interval 50000
type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
exe=/sbin/xtables-multi key=(null)
type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
table=filter family=ipv4 entries=281
----

Why is it being logged, given that it matches the second (and last) rule I have?

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: -a never,exit still being logged
  2020-11-19 18:43 -a never,exit still being logged Andreas Hasenack
@ 2020-11-19 18:52 ` Steve Grubb
  2020-11-19 18:59   ` Andreas Hasenack
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2020-11-19 18:52 UTC (permalink / raw)
  To: Linux-audit, Andreas Hasenack

On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> Hi,
> 
> continuing my experiments in trying to reduce the auditd noise, I have
> these two rules:
> 
> # auditctl -l
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/iptables -F auid=-1
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/xtables-multi -F auid=-1
> 
> I did use -F auid=4294967295 in the rules file, and auditd seems to
> have understood that correctly as it's showing -1 in the rules list.
> 
> But this event is still being logged:
> type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
> family=2 entries=281
> type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
> success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
> pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
> exe="/sbin/xtables-multi" key=(null)
> type=PROCTITLE msg=audit(1605810940.198:1089):
> proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D7665726
> 26F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030
> 
> Same event, decoded with ausearch -i:
> ----
> type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
> proctitle=iptables-restore --noflush --verbose --wait 10
> --wait-interval 50000
> type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
> syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
> a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
> exe=/sbin/xtables-multi key=(null)
> type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
> table=filter family=ipv4 entries=281
> ----
> 
> Why is it being logged, given that it matches the second (and last) rule I
> have?

These two events are considered kernel configuration changes. Which means that 
they do not originate via the SYSCALL rule engine. The -a never,exit 
technique works only when the event is generated as a result of other SYSCALL 
rules. Normally you would place that higher up so it matches first.

In this case, what you would want to do is suppress it using the exclude 
filter:

-a always,exclude -F msgtype=NETFILTER_CFG

That should fix it.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: -a never,exit still being logged
  2020-11-19 18:52 ` Steve Grubb
@ 2020-11-19 18:59   ` Andreas Hasenack
  2020-11-19 19:54     ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Hasenack @ 2020-11-19 18:59 UTC (permalink / raw)
  To: Linux-audit

Hi,

On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> > Why is it being logged, given that it matches the second (and last) rule I
> > have?
>
> These two events are considered kernel configuration changes. Which means that
> they do not originate via the SYSCALL rule engine. The -a never,exit
> technique works only when the event is generated as a result of other SYSCALL
> rules. Normally you would place that higher up so it matches first.
>
> In this case, what you would want to do is suppress it using the exclude
> filter:
>
> -a always,exclude -F msgtype=NETFILTER_CFG
>
> That should fix it.

I see, and I can still add auid=-1 to that one, right? Just not the exe filter?

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: -a never,exit still being logged
  2020-11-19 18:59   ` Andreas Hasenack
@ 2020-11-19 19:54     ` Steve Grubb
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2020-11-19 19:54 UTC (permalink / raw)
  To: Linux-audit, Andreas Hasenack

On Thursday, November 19, 2020 1:59:58 PM EST Andreas Hasenack wrote:
> Hi,
> 
> On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> > > Why is it being logged, given that it matches the second (and last)
> > > rule I
> > > have?
> > 
> > These two events are considered kernel configuration changes. Which means
> > that they do not originate via the SYSCALL rule engine. The -a
> > never,exit technique works only when the event is generated as a result
> > of other SYSCALL rules. Normally you would place that higher up so it
> > matches first.
> > 
> > In this case, what you would want to do is suppress it using the exclude
> > filter:
> > 
> > -a always,exclude -F msgtype=NETFILTER_CFG
> > 
> > That should fix it.
> 
> I see, and I can still add auid=-1 to that one, right? Just not the exe
> filter?

You can add the -F auid=-1 if you want to.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-19 19:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-19 18:43 -a never,exit still being logged Andreas Hasenack
2020-11-19 18:52 ` Steve Grubb
2020-11-19 18:59   ` Andreas Hasenack
2020-11-19 19:54     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox