Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

auditd never,exclude failing to exclude messages

by |Published

I seem to be having some issues writing auditd exclusions rules (to filter out things like systemd restarts and crons).
I thought this set of rules would work, but the messages are still getting written to the log file. (These are at the top of the rules file after restarting the daemon)

# head -n13 /etc/audit/audit.rules

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000
-a never,exclude -F msgtype=SERVICE_START
-a never,exclude -F msgtype=SERVICE_STOP
-a never,exclude -F comm=cron -F exe=/usr/sbin/cron
-a never,exclude -F exe=/usr/sbin/cron -F terminal=cron
-a never,exclude -F msgtype=CRED_REFR
-a never,exclude -F msgtype=CRED_DISP
-a never,exclude -F msgtype=CRED_ACQ
-a never,exclude -F msgtype=DAEMON_START

The logs are still getting through:

Sep 21 16:39:03 auditd type=USER_END msg=audit(1663792741.916:535): pid=1250507 uid=0 auid=0 ses=955 subj==unconfined msg='op=PAM:session_close grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
Sep 21 16:39:03 auditd type=LOGIN msg=audit(1663792741.916:532): pid=1250507 uid=0 subj==unconfined old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=955 res=1UID="root" OLD-AUID="unset" AUID="root"
Sep 21 16:39:03 auditd type=CRED_ACQ msg=audit(1663792741.916:531): pid=1250507 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
Sep 21 16:39:03 auditd type=USER_START msg=audit(1663792741.916:533): pid=1250507 uid=0 auid=0 ses=955 subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
Sep 21 16:39:03 auditd type=LOGIN msg=audit(1663792741.916:532): pid=1250507 uid=0 subj==unconfined old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=955 res=1UID="root" OLD-AUID="unset" AUID="root"
Sep 21 16:39:03 auditd type=USER_ACCT msg=audit(1663792741.916:530): pid=1250507 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
Sep 21 16:39:03 auditd type=CRED_DISP msg=audit(1663792741.916:534): pid=1250507 uid=0 auid=0 ses=955 subj==unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
Sep 21 16:39:01 CRON[1250508]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)

As far as I understand it, never means don’t generate a record, and exclude means to add to the event exclusion list.
For an example, I am excluding the type of CRED_DISP, but there is clearly a log present containing type=CRED_DISP

I am on Debian 11 (5.10.0-16-amd64) with auditd version 3.0.

Is there something else about excludes that I am missing here?

You may also like