-a never,exit still being logged
Andreas Hasenack
andreas at canonical.com
Thu Nov 19 18:59:58 UTC 2020
Hi,
On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> > Why is it being logged, given that it matches the second (and last) rule I
> > have?
>
> These two events are considered kernel configuration changes. Which means that
> they do not originate via the SYSCALL rule engine. The -a never,exit
> technique works only when the event is generated as a result of other SYSCALL
> rules. Normally you would place that higher up so it matches first.
>
> In this case, what you would want to do is suppress it using the exclude
> filter:
>
> -a always,exclude -F msgtype=NETFILTER_CFG
>
> That should fix it.
I see, and I can still add auid=-1 to that one, right? Just not the exe filter?
More information about the Linux-audit
mailing list