-a never,exit still being logged
Steve Grubb
sgrubb at redhat.com
Thu Nov 19 19:54:20 UTC 2020
On Thursday, November 19, 2020 1:59:58 PM EST Andreas Hasenack wrote:
> Hi,
>
> On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb at redhat.com> wrote:
> > On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> > > Why is it being logged, given that it matches the second (and last)
> > > rule I
> > > have?
> >
> > These two events are considered kernel configuration changes. Which means
> > that they do not originate via the SYSCALL rule engine. The -a
> > never,exit technique works only when the event is generated as a result
> > of other SYSCALL rules. Normally you would place that higher up so it
> > matches first.
> >
> > In this case, what you would want to do is suppress it using the exclude
> > filter:
> >
> > -a always,exclude -F msgtype=NETFILTER_CFG
> >
> > That should fix it.
>
> I see, and I can still add auid=-1 to that one, right? Just not the exe
> filter?
You can add the -F auid=-1 if you want to.
-Steve
More information about the Linux-audit
mailing list