Unable to exclude all msgtype in rules

SHWETHABHAT1 commented 1 month ago

NOTE: Please refer to the Reporting Bug and Requesting Features wiki page before creating any new GitHub issues.

Requirement: I want to see if there is a rule/option to exclude all hardwired events, if auid=unset.

Rules Tried: -a always,exclude -F msgtype=ALL -F auid=-1

The above rule throws below error when executed augenrules --load.

-F unknown message type - msgtype
There was an error in line 7 of /etc/audit/audit.rules

But in ausearch, we have a option for including all the message types.

~# ausearch -m
Argument is required for -m
Valid message types are: ALL USER LOGIN USER_AUTH USER_ACCT USER_MGMT CRED_ACQ CRED_DISP USER_START USER_END USER_AVC USER_CHAUTHTOK USER_ERR CRED_REFR USYS_CONFIG USER_LOGIN USER_LOGOUT ADD_USER DEL_USER ADD_GROUP DEL_GROUP DAC_CHECK CHGRP_ID TEST TRUSTED_APP USER_SELINUX_ERR USER_CMD USER_TTY CHUSER_ID GRP_AUTH SYSTEM_BOOT SYSTEM_SHUTDOWN SYSTEM_RUNLEVEL SERVICE_START SERVICE_STOP GRP_MGMT GRP_CHAUTHTOK MAC_CHECK ACCT_LOCK ACCT_UNLOCK USER_DEVICE SOFTWARE_UPDATE DAEMON_START DAEMON_END DAEMON_ABORT DAEMON_CONFIG DAEMON_ROTATE DAEMON_RESUME DAEMON_ACCEPT DAEMON_CLOSE DAEMON_ERR SYSCALL PATH IPC SOCKETCALL CONFIG_CHANGE SOCKADDR CWD EXECVE IPC_SET_PERM MQ_OPEN MQ_SENDRECV MQ_NOTIFY MQ_GETSETATTR KERNEL_OTHER FD_PAIR OBJ_PID TTY EOE BPRM_FCAPS CAPSET MMAP NETFILTER_PKT NETFILTER_CFG SECCOMP PROCTITLE FEATURE_CHANGE KERN_MODULE FANOTIFY TIME_INJOFFSET TIME_ADJNTPVAL BPF EVENT_LISTENER URINGOP OPENAT2 DM_CTRL DM_EVENT AVC SELINUX_ERR AVC_PATH MAC_POLICY_LOAD MAC_STATUS MAC_CONFIG_CHANGE MAC_UNLBL_ALLOW MAC_CIPSOV4_ADD MAC_CIPSOV4_DEL MAC_MAP_ADD MAC_MAP_DEL MAC_IPSEC_ADDSA MAC_IPSEC_DELSA MAC_IPSEC_ADDSPD MAC_IPSEC_DELSPD MAC_IPSEC_EVENT MAC_UNLBL_STCADD MAC_UNLBL_STCDEL MAC_CALIPSO_ADD MAC_CALIPSO_DEL ANOM_PROMISCUOUS ANOM_ABEND ANOM_LINK ANOM_CREAT INTEGRITY_DATA INTEGRITY_METADATA INTEGRITY_STATUS INTEGRITY_HASH INTEGRITY_PCR INTEGRITY_RULE INTEGRITY_EVM_XATTR INTEGRITY_POLICY_RULE KERNEL ANOM_LOGIN_FAILURES ANOM_LOGIN_TIME ANOM_LOGIN_SESSIONS ANOM_LOGIN_ACCT ANOM_LOGIN_LOCATION ANOM_MAX_DAC ANOM_MAX_MAC ANOM_AMTU_FAIL ANOM_RBAC_FAIL ANOM_RBAC_INTEGRITY_FAIL ANOM_CRYPTO_FAIL ANOM_ACCESS_FS ANOM_EXEC ANOM_MK_EXEC ANOM_ADD_ACCT ANOM_DEL_ACCT ANOM_MOD_ACCT ANOM_ROOT_TRANS ANOM_LOGIN_SERVICE ANOM_LOGIN_ROOT ANOM_ORIGIN_FAILURES ANOM_SESSION RESP_ANOMALY RESP_ALERT RESP_KILL_PROC RESP_TERM_ACCESS RESP_ACCT_REMOTE RESP_ACCT_LOCK_TIMED RESP_ACCT_UNLOCK_TIMED RESP_ACCT_LOCK RESP_TERM_LOCK RESP_SEBOOL RESP_EXEC RESP_SINGLE RESP_HALT RESP_ORIGIN_BLOCK RESP_ORIGIN_BLOCK_TIMED RESP_ORIGIN_UNBLOCK_TIMED USER_ROLE_CHANGE ROLE_ASSIGN ROLE_REMOVE LABEL_OVERRIDE LABEL_LEVEL_CHANGE USER_LABELED_EXPORT USER_UNLABELED_EXPORT DEV_ALLOC DEV_DEALLOC FS_RELABEL USER_MAC_POLICY_LOAD ROLE_MODIFY USER_MAC_CONFIG_CHANGE USER_MAC_STATUS CRYPTO_TEST_USER CRYPTO_PARAM_CHANGE_USER CRYPTO_LOGIN CRYPTO_LOGOUT CRYPTO_KEY_USER CRYPTO_FAILURE_USER CRYPTO_REPLAY_USER CRYPTO_SESSION CRYPTO_IKE_SA CRYPTO_IPSEC_SA VIRT_CONTROL VIRT_RESOURCE VIRT_MACHINE_ID VIRT_INTEGRITY_CHECK VIRT_CREATE VIRT_DESTROY VIRT_MIGRATE_IN VIRT_MIGRATE_OUT

If ALL is not supported in rules, is there a page to see what are all the supported and different ways to give msgtypes ? Any help would be appreciated.

@stevegrubb

stevegrubb commented 1 month ago

There is no support for an all keyword for msgtype. It would be the same as just matching on -F auid=-1. But, that will also lose events about daemons. The hardwired events are mostly located 1100 - 1199 and 2400 - 2600. The BPF event is also pretty useless. If I were you, I'd collect some events for a period of time and then run aureport --event --summary -i for that period of time. That would give you an ordered list of what events are in your logs. You can probably get rid of 90% with less than 10 rules that match an exact msgtype.

SHWETHABHAT1 commented 2 weeks ago

Currently support not possible

linux-audit / audit-userspace

Unable to exclude all msgtype in rules #392