-a never,exit still being logged

Steve Grubb sgrubb at redhat.com
Thu Nov 19 18:52:47 UTC 2020 

On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> Hi,
> 
> continuing my experiments in trying to reduce the auditd noise, I have
> these two rules:
> 
> # auditctl -l
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/iptables -F auid=-1
> -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F
> exe=/sbin/xtables-multi -F auid=-1
> 
> I did use -F auid=4294967295 in the rules file, and auditd seems to
> have understood that correctly as it's showing -1 in the rules list.
> 
> But this event is still being logged:
> type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter
> family=2 entries=281
> type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208
> success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950
> pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor"
> exe="/sbin/xtables-multi" key=(null)
> type=PROCTITLE msg=audit(1605810940.198:1089):
> proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D7665726
> 26F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030
> 
> Same event, decoded with ausearch -i:
> ----
> type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) :
> proctitle=iptables-restore --noflush --verbose --wait 10
> --wait-interval 50000
> type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64
> syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip
> a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor
> exe=/sbin/xtables-multi key=(null)
> type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) :
> table=filter family=ipv4 entries=281
> ----
> 
> Why is it being logged, given that it matches the second (and last) rule I
> have?

These two events are considered kernel configuration changes. Which means that 
they do not originate via the SYSCALL rule engine. The -a never,exit 
technique works only when the event is generated as a result of other SYSCALL 
rules. Normally you would place that higher up so it matches first.

In this case, what you would want to do is suppress it using the exclude 
filter:

-a always,exclude -F msgtype=NETFILTER_CFG

That should fix it.

-Steve

More information about the Linux-audit mailing list