audit rule problem
LC Bruzenak
lenny at magitekltd.com
Wed Nov 15 00:38:48 UTC 2017
System:
Linux audit 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT 2017
x86_64 x86_64 x86_64 GNU/Linux
userspace audit-2.4.5-3
Red Hat Enterprise Linux Client release 6.9 (Santiago)
I changed this line in /etc/audit/audit.rules from:
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
to this:
-a exit,always -F arch=b64 -S mount -S umount2 -F subj_type!=nothing_t
-k mount
Reloaded my rules, and now doing (as root):
# umount /boot; mount /boot
no longer produces audit events. I did this because on another system
(mls policy, with lots of custom types) I lost the events once I
included some custom types installed and operational on the system, so I
was just trying to reduce this to a reproducible case. I can almost see
that a non-existent type might fail, but it maybe should fail to load.?.
However, the bigger problem is that trying to add my other valid custom
types into the exclusion on the mls policy machine is causing me to lose
events. Any ideas?
Thx,
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171114/a7ee2fb8/attachment.p7s>
More information about the Linux-audit
mailing list