Re: Multiple Rule Logic

Wed, 17 May 2006 08:31:10 -0700 

Steve Grubb wrote:

On Tuesday 16 May 2006 16:13, Michael C Thompson wrote:

I was wondering what is to be expected when multiple rules exist that
pertain to the same action.



You have to consider the lists that they are on. Each list is evaluated from 
first to last. Any event that is created is sent to the exclude filter for 
potential action.



Alright, could you add some examples of using the exclude list to the 
man page? It isn't clear how it's use is intended.



Examples:
entry,always -S chmod   - should see a record for chmod
exclude,always -S all   - should never see any sys calls

Combined, should I expect a chmod record?


Yes. The exclude filter only removes records by message type.

exclude,always -F msgtype=SYSCALL

would be a valid use of it.



I just tested this, and I think, from what I understood of your above 
statement, that it is not functioning correctly... here is my transcript.


# auditctl -a entry,always -S chmod
# auditctl -a exclude,always -F msgtype=SYSCALL
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always msgtype=SYSCALL (0x514) syscall=all
# chmod 0770 500 [yes, 500 is a file]

Resulting audit log:
--------------------

type=SYSCALL msg=audit(1147813843.750:128591): arch=40000003 syscall=15 
success=yes exit=0 a0=859c8b0 a1=1f8 a2=8051774 a3=0 items=1 ppid=30211 
pid=30277 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts4 comm="chmod" exe="/bin/chmod" 
subj=root:staff_r:staff_t:s0-s15:c0.c255

type=CWD msg=audit(1147813843.750:128591):  cwd="/root"

type=PATH msg=audit(1147813843.750:128591): item=0 name="500" 
inode=786439 dev=03:03 mode=0100777 ouid=0 ogid=0 rdev=00:00 
obj=root:object_r:sysadm_home_dir_t:s0




 From my experiments with the current code, if any one rule instructs
audit to log the action, auditd will log it (i.e. I'll see a chmod
record). I'm wondering if this is the intended functionality.



I suspect we should have an error when you try to load a rule like in you 
example.



Currently, no errors are returned. Here is the transcript of my 
originally list above actions.


# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
# auditctl -a exclude,always -S all
# auditctl -l
LIST_RULES: entry,always syscall=chmod
LIST_RULES: exclude,always syscall=all


Mike

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit






















					Reply via email to