3:13 p.m.
Hey Steve,
I was wondering what is to be expected when multiple rules exist that
pertain to the same action.
Examples:
entry,always -S chmod - should see a record for chmod
exclude,always -S all - should never see any sys calls
Combined, should I expect a chmod record?
From my experiments with the current code, if any one rule instructs
audit to log the action, auditd will log it (i.e. I'll see a chmod
record). I'm wondering if this is the intended functionality.
Thanks,
Mike
4:46 p.m.
On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
I was wondering what is to be expected when multiple rules exist
that
pertain to the same action.
You have to consider the lists that they are on. Each list is evaluated from
first to last. Any event that is created is sent to the exclude filter for
potential action.
Examples:
entry,always -S chmod - should see a record for chmod
exclude,always -S all - should never see any sys calls
Combined, should I expect a chmod record?
Yes. The exclude filter only removes records by message type.
exclude,always -F msgtype=SYSCALL
would be a valid use of it.
From my experiments with the current code, if any one rule
instructs
audit to log the action, auditd will log it (i.e. I'll see a chmod
record). I'm wondering if this is the intended functionality.
I suspect we should have an error when you try to load a rule like in you
example.
-Steve
10:30 a.m.
Steve Grubb wrote:
On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
> I was wondering what is to be expected when multiple rules exist that
> pertain to the same action.
You have to consider the lists that they are on. Each list is evaluated from
first to last. Any event that is created is sent to the exclude filter for
potential action.
Alright, could you add some examples of using the exclude list to the
man page? It isn't clear how it's use is intended.
> Examples:
> entry,always -S chmod - should see a record for chmod
> exclude,always -S all - should never see any sys calls
>
> Combined, should I expect a chmod record?
Yes. The exclude filter only removes records by message type.
exclude,always -F msgtype=SYSCALL
would be a valid use of it.
I just tested this, and I think, from what I understood of your above
statement, that it is not functioning correctly... here is my transcript.
# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]
Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 comm="chmod" exe="/bin/chmod"
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591): cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500"
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:sysadm_home_dir_t:s0
> From my experiments with the current code, if any one rule
instructs
> audit to log the action, auditd will log it (i.e. I'll see a chmod
> record). I'm wondering if this is the intended functionality.
I suspect we should have an error when you try to load a rule like in you
example.
Currently, no errors are returned. Here is the transcript of my
originally list above actions.
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all
Mike
6793
days inactive
6794
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Michael C Thompson -
Steve Grubb