From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marko Weber | 8000 Subject: suppress log entries, =?UTF-8?Q?how=3F?= Date: Wed, 01 Oct 2014 08:46:18 +0200 Message-ID: <83161eeb858a1d542226038851db7789@zbfmail.de> Reply-To: weber@zbfmail.de Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s916kMFH013237 for ; Wed, 1 Oct 2014 02:46:23 -0400 Received: from mail.zbfmail.de (mail.zbfmail.de [176.9.84.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s916kKFG027354 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Wed, 1 Oct 2014 02:46:21 -0400 Received: from mail.zbfmail.de (localhost [127.0.0.1]) by mail.zbfmail.de (Postfix) with ESMTP id 5850810C0BA for ; Wed, 1 Oct 2014 08:46:18 +0200 (CEST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com good morning list, i installed auditd on my gentoo server. installation runs without error, but on start i get this: # /etc/init.d/auditd start * Starting auditd ... [ ok ] touch: cannot touch '/var/lock/subsys/auditd': No such file or directory * Loading audit rules from /etc/audit/audit.rules seems /var/lock/ `subsys/auditd` is missing. that was easy to fix, but has to be repeated after every reboot. in auditd.log i get entries like this: type=NETFILTER_CFG msg=audit(1412022284.553:2446): table=mangle family=2 entries=6 type=SYSCALL msg=audit(1412022284.553:2446): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1144850 items=0 ppid=2070 pid=2130 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null) i want to suppress these messages. in my understanding of the man page i have to put such a rule into audit.rules: -a exclude,never -F msgtype=NETFILTER_CFG , but this isnt working. the messages still appears. my config of my fresh auditd install: # First rule - delete all # This is to clear out old rules, so we don't append to them. -D # Feel free to add below this line. See auditctl man page -a exclude,never -F msgtype=NETFILTER_CFG # The following rule would cause all of the syscalls listed to be ignored in logging. -a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat -a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat -a exclude,never -F msgtype=NETFILTER_CFG # The following rule would cause the capture of all systems not caught above. # -a exit,always -S all # Increase the buffers to survive stress events -b 8192 # lock the audit configuration to prevent any modification of this file. -e 2 i installed audit 2.2.2-r2 on gentoo if this is of intzerest. thank you marko -- zbfmail - Mittendrin statt nur Datei!