audit.rules being really processed sequentially?
Ede Wolf
listac at nebelschwaden.de
Thu Sep 2 15:54:12 UTC 2021
Hello,
In my pursuit of taming auditd in that it only logs what has explicitly
been defined and nothing more, I've thought of a set of catch all rules
at the end. As the rules file is supposedly being processed
sequentially, i.e. first hit matches, this ought to work. But it doesn't.
Having a very simple rules file as an example:
-D
-e 1
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k EDIT_FILE
-a always,exclude -F msgtype=EXECVE
-a always,exclude -F msgtype=FD_PAIR
-a always,exclude -F msgtype=FS_RELABEL
...
(continue this for every messagetype from this link:
https://access.redhat.com/articles/4409591#audit-record-types-2)
As easily to be guessed, my expectation would be, the invokation of vi
by anyone would get logged, as that rules comes first, but really
nothing else, as it is being discaded by the catchall rules.
Surprisingly however, in reality, nothing gets logged at all, not even
the invocation of vi.
Now, removing those catchall rules at the end does log the calling of
vi, but of course also all other stuff I neither have defined nor want
to be written out.
So, if the audit.rules file really is being processed sequentally, what
am I missing in my approach?
Thanks very much for any insight.
Ede
More information about the Linux-audit
mailing list