Multiple Rule Logic
Michael C Thompson
thompsmc at us.ibm.com
Wed May 17 15:30:32 UTC 2006
Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
>
> You have to consider the lists that they are on. Each list is evaluated from
> first to last. Any event that is created is sent to the exclude filter for
> potential action.
Alright, could you add some examples of using the exclude list to the
man page? It isn't clear how it's use is intended.
>> Examples:
>> entry,always -S chmod - should see a record for chmod
>> exclude,always -S all - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
>
> Yes. The exclude filter only removes records by message type.
>
> exclude,always -F msgtype=SYSCALL
>
> would be a valid use of it.
I just tested this, and I think, from what I understood of your above
statement, that it is not functioning correctly... here is my transcript.
# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]
Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts4 comm="chmod" exe="/bin/chmod"
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591): cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500"
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:sysadm_home_dir_t:s0
>> From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
>
> I suspect we should have an error when you try to load a rule like in you
> example.
Currently, no errors are returned. Here is the transcript of my
originally list above actions.
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all
Mike
More information about the Linux-audit
mailing list