Hi, continuing my experiments in trying to reduce the auditd noise, I have these two rules:
# auditctl -l -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F exe=/sbin/iptables -F auid=-1 -a never,exit -F arch=b64 -S setsockopt -F a2=0x40 -F exe=/sbin/xtables-multi -F auid=-1 I did use -F auid=4294967295 in the rules file, and auditd seems to have understood that correctly as it's showing -1 in the rules list. But this event is still being logged: type=NETFILTER_CFG msg=audit(1605810940.198:1089): table=filter family=2 entries=281 type=SYSCALL msg=audit(1605810940.198:1089): arch=c00000b7 syscall=208 success=yes exit=0 a0=4 a1=0 a2=40 a3=aaaaf478e680 items=0 ppid=7950 pid=31235 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/sbin/xtables-multi" key=(null) type=PROCTITLE msg=audit(1605810940.198:1089): proctitle=69707461626C65732D726573746F7265002D2D6E6F666C757368002D2D766572626F7365002D2D77616974003130002D2D776169742D696E74657276616C003530303030 Same event, decoded with ausearch -i: ---- type=PROCTITLE msg=audit(11/19/20 18:35:40.198:1089) : proctitle=iptables-restore --noflush --verbose --wait 10 --wait-interval 50000 type=SYSCALL msg=audit(11/19/20 18:35:40.198:1089) : arch=aarch64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE a3=0xaaaaf478e680 items=0 ppid=7950 pid=31235 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iptables-restor exe=/sbin/xtables-multi key=(null) type=NETFILTER_CFG msg=audit(11/19/20 18:35:40.198:1089) : table=filter family=ipv4 entries=281 ---- Why is it being logged, given that it matches the second (and last) rule I have? -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
