Multiple Rule Logic

Michael C Thompson thompsmc at us.ibm.com
Wed May 17 15:30:32 UTC 2006 

Steve Grubb wrote:
> On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:
>> I was wondering what is to be expected when multiple rules exist that
>> pertain to the same action.
> 
> You have to consider the lists that they are on. Each list is evaluated from 
> first to last. Any event that is created is sent to the exclude filter for 
> potential action.

Alright, could you add some examples of using the exclude list to the 
man page? It isn't clear how it's use is intended.

>> Examples:
>> entry,always -S chmod   - should see a record for chmod
>> exclude,always -S all   - should never see any sys calls
>>
>> Combined, should I expect a chmod record?
> 
> Yes. The exclude filter only removes records by message type.
> 
> exclude,always -F msgtype=SYSCALL
> 
> would be a valid use of it.

I just tested this, and I think, from what I understood of your above 
statement, that it is not functioning correctly... here is my transcript.

# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]

Resulting audit log:
--------------------
type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15 
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211 
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts4 comm="chmod" exe="/bin/chmod" 
subj=root:staff_r:staff_t:s0-s15:c0.c255
type=CWD msg=audit(1147813843.750:128591):  cwd="/root"
type=PATH msg=audit(1147813843.750:128591): item=0 name="500" 
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00 
obj=root:object_r:sysadm_home_dir_t:s0


>>  From my experiments with the current code, if any one rule instructs
>> audit to log the action, auditd will log it (i.e. I'll see a chmod
>> record). I'm wondering if this is the intended functionality.
> 
> I suspect we should have an error when you try to load a rule like in you 
> example.

Currently, no errors are returned. Here is the transcript of my 
originally list above actions.

# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all


Mike

More information about the Linux-audit mailing list