-a never,exit still being logged

[Andreas Hasenack]

Hi,

continuing my experiments in trying to reduce the auditd noise, I have
these two rules:

# auditctl -l
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/iptables -F auid=-1
-a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
exe=/sbin/xtables-multi -F auid=-1

I did use -F auid=4294967295 in the rules file, and auditd seems to
have understood that correctly as it's showing -1 in the rules list.

But this event is still being logged:
type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
family=2 entries=281
type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
exe="/sbin/xtables-multi" key=(null)
type=PROCTITLE msg=audit(1605810940.198:1089):
proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D766572626F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030

Same event, decoded with ausearch -i:
----
type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
proctitle=iptables-restore --noflush --verbose --wait 10
--wait-interval 50000
type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
exe=/sbin/xtables-multi key=(null)
type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
table=filter family=ipv4 entries=281
----

Why is it being logged, given that it matches the second (and last) rule I have?