Hi All,
I have a system that is logging many events for a path that I think should be ignored…
[root@host1 ~]# auditctl -l
LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditd_configuration
LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=auditd_configuration
LIST_RULES: exit,always watch=/etc/libaudit.conf perm=wa key=auditd_configuration
LIST_RULES: exit,always watch=/etc/sysconfig/auditd perm=wa key=auditd_configuration
LIST_RULES: exit,never dir=/etc/lvm/cache (0xe) syscall=all
LIST_RULES: exit,never dir=/opt (0x4) syscall=all
LIST_RULES: exit,never dir=/tmp (0x4) syscall=all
LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all
LIST_RULES: exit,never dir=/naab2 (0x6) syscall=all
LIST_RULES: exit,never dir=/ab1 (0x4) syscall=all
LIST_RULES: exit,never dir=/ab2 (0x4) syscall=all
LIST_RULES: exit,always perm=a key=file_attributes
LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=file_attributes syscall=ioctl
LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=-2146933247 (0x80086601) key=file_attributes syscall=ioctl
LIST_RULES: exit,always arch=3221225534 (0xc000003e) exit=-13 (0xfffffff3) key=invalid_logical_access syscall=open
LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=bin_modification
LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=boot_modification
LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=etc_modification
LIST_RULES: exit,always dir=/home (0x5) perm=wa key=home_modification
LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=lib_modification
LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=lib64_modification
LIST_RULES: exit,always dir=/root (0x5) perm=wa key=root_modification
LIST_RULES: exit,always dir=/sbin (0x5) perm=wa key=sbin_modification
LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=usr_modification
LIST_RULES: exit,always dir=/var/spool/at (0xd) perm=wa key=misc_var
LIST_RULES: exit,always dir=/var/spool/cron (0xf) perm=wa key=misc_var
LIST_RULES: exit,never dir=/var (0x4) syscall=all
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=dir_operations syscall=mkdir,rmdir,unlinkat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=link_operation syscall=rename,link,unlink,symlink
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=special_device_creation syscall=mknod,mknodat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=mount_operation syscall=mount,umount2
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=kernel_module syscall=create_module,init_module,delete_module
LIST_RULES: exclude,always msgtype=CRED_ACQ (0x44f)
LIST_RULES: exclude,always msgtype=CRED_DISP (0x450)
LIST_RULES: exclude,always msgtype=CRYPTO_KEY_USER (0x964)
LIST_RULES: exclude,always msgtype=CRYPTO_SESSION (0x967)
LIST_RULES: exclude,always msgtype=LOGIN (0x3ee)
LIST_RULES: exclude,always msgtype=USER_ACCT (0x44d)
LIST_RULES: exclude,always msgtype=USER_AUTH (0x44c)
LIST_RULES: exclude,always msgtype=USER_CMD (0x463)
LIST_RULES: exclude,always msgtype=USER_END (0x452)
LIST_RULES: exclude,always msgtype=USER_LOGIN (0x458)
LIST_RULES: exclude,always msgtype=USER_START (0x451)
[root@host1 ~]# tail /var/log/audit/audit.log
node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=3 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958573 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=2 name="temp_checkpoint.checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=3 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958614 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=4 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958644 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=4 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550511): arch=c000003e syscall=82 success=yes exit=0 a0=7ecdb0 a1=7d10e0 a2=7f6c0782dcd4 a3=0 items=4 ppid=14614 pid=16951 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534
fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=9372 comm="db-update.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/db_v2/bin/db-update.impl.gcc4p64" key="link_operation"
node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550512): arch=c000003e syscall=82 success=yes exit=0 a0=9a6e50 a1=92e9f0 a2=7fe84e682cd4 a3=0 items=4 ppid=14595 pid=14937 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534
egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=10226 comm="multitool.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/bin/multitool" key="link_operation"
node=host1.domain type=CWD msg=audit(1324401918.113:223550511): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873"
node=host1.domain type=CWD msg=audit(1324401918.113:223550512): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4ef0423c-38fe"
node=host1.domain type=PATH msg=audit(1324401918.113:223550511): item=0 name="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" inode=30932995 dev=fd:0d mode=040755 ouid=3534 ogid=9001
rdev=00:00
[root@host1 ~]#
I’m referring to event ID 223550511 (key is link_operation) in the logs which is using a path of ‘/naab1/…’
How come this event is not ignored due to the 8th rule? I think I’m missing something.
Many thanks,
Max