<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal">I have a system that is logging many events for a path that I think should be ignored…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[root@host1 ~]# auditctl -l<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditd_configuration<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=auditd_configuration<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always watch=/etc/libaudit.conf perm=wa key=auditd_configuration<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always watch=/etc/sysconfig/auditd perm=wa key=auditd_configuration<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/etc/lvm/cache (0xe) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/opt (0x4) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/tmp (0x4) syscall=all<o:p></o:p></p>
<p class="MsoNormal"><b>LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all<o:p></o:p></b></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/naab2 (0x6) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/ab1 (0x4) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/ab2 (0x4) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always perm=a key=file_attributes<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=file_attributes syscall=ioctl<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=-2146933247 (0x80086601) key=file_attributes syscall=ioctl<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) exit=-13 (0xfffffff3) key=invalid_logical_access syscall=open<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=bin_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=boot_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=etc_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/home (0x5) perm=wa key=home_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=lib_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=lib64_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/root (0x5) perm=wa key=root_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/sbin (0x5) perm=wa key=sbin_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=usr_modification<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/var/spool/at (0xd) perm=wa key=misc_var<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always dir=/var/spool/cron (0xf) perm=wa key=misc_var<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,never dir=/var (0x4) syscall=all<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=dir_operations syscall=mkdir,rmdir,unlinkat<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=link_operation syscall=rename,link,unlink,symlink<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=special_device_creation syscall=mknod,mknodat<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=mount_operation syscall=mount,umount2<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=kernel_module syscall=create_module,init_module,delete_module<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=CRED_ACQ (0x44f)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=CRED_DISP (0x450)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=CRYPTO_KEY_USER (0x964)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=CRYPTO_SESSION (0x967)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=LOGIN (0x3ee)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_ACCT (0x44d)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_AUTH (0x44c)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_CMD (0x463)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_END (0x452)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_LOGIN (0x458)<o:p></o:p></p>
<p class="MsoNormal">LIST_RULES: exclude,always msgtype=USER_START (0x451)<o:p></o:p></p>
<p class="MsoNormal">[root@host1 ~]# tail /var/log/audit/audit.log<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=3 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958573 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=2 name="temp_checkpoint.checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=3 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958614 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=4 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958644 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=4 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=SYSCALL msg=audit(1324401918.113:<b>223550511</b>): arch=c000003e syscall=82 success=yes exit=0 a0=7ecdb0 a1=7d10e0 a2=7f6c0782dcd4 a3=0 items=4 ppid=14614 pid=16951 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534
fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=9372 comm="db-update.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/db_v2/bin/db-update.impl.gcc4p64" key="link_operation"<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550512): arch=c000003e syscall=82 success=yes exit=0 a0=9a6e50 a1=92e9f0 a2=7fe84e682cd4 a3=0 items=4 ppid=14595 pid=14937 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534
egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=10226 comm="multitool.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/bin/multitool" key="link_operation"<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=CWD msg=audit(1324401918.113:<b>223550511</b>): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873"<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=CWD msg=audit(1324401918.113:223550512): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4ef0423c-38fe"<o:p></o:p></p>
<p class="MsoNormal">node=host1.domain type=PATH msg=audit(1324401918.113:<b>223550511</b>): item=0 name="<b>/naab1</b>/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" inode=30932995 dev=fd:0d mode=040755 ouid=3534 ogid=9001
rdev=00:00<o:p></o:p></p>
<p class="MsoNormal">[root@host1 ~]#<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m referring to event ID 223550511 (key is link_operation) in the logs which is using a path of ‘/naab1/…’<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How come this event is not ignored due to the 8<sup>th</sup> rule? I think I’m missing something.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Many thanks,<o:p></o:p></p>
<p class="MsoNormal">Max<o:p></o:p></p>
</div>
<br clear="both">
________________________________________________________________________<BR>
In order to protect our email recipients, Betfair Group use SkyScan from <BR>
MessageLabs to scan all Incoming and Outgoing mail for viruses.<BR>
<BR>
________________________________________________________________________<BR>
</body>
</html>