On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
Hi,
continuing my experiments in trying to reduce the auditd noise, I have
these two rules:
# auditctl -l
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/iptables -F auid=-1
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/xtables-multi -F auid=-1
I did use -F auid=4294967295 in the rules file, and auditd seems to
have understood that correctly as it's showing -1 in the rules list.
But this event is still being logged:
type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
family=2 entries=281
type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
exe="/sbin/xtables-multi" key=(null)
type=PROCTITLE msg=audit(1605810940.198:1089):
proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D7665726
26F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030
Same event, decoded with ausearch -i:
----
type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
proctitle=iptables-restore --noflush --verbose --wait 10
--wait-interval 50000
type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
exe=/sbin/xtables-multi key=(null)
type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
table=filter family=ipv4 entries=281
----
Why is it being logged, given that it matches the second (and last) rule I
have?
These two events are considered kernel configuration changes. Which means that
they do not originate via the SYSCALL rule engine. The -a never,exit
technique works only when the event is generated as a result of other SYSCALL
rules. Normally you would place that higher up so it matches first.
In this case, what you would want to do is suppress it using the exclude
filter:
-a always,exclude -F msgtype=NETFILTER_CFG
That should fix it.
-Steve