Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 543704

Summary: sys-process/audit: drop custom default filters
Product: Gentoo Linux Reporter: Joakim Tjernlund <joakim.tjernlund>
Component: Current packagesAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal CC: robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Joakim Tjernlund 2015-03-18 16:29:59 UTC 
/etc/audit/audit.rules has this:

# The following rule would cause all of the syscalls listed to be ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat

Which means logging is off for most syscalls. This is a big suprise when
you do your first audit logging and find you logs alomst empty.

Gentoo adds these lines, could these be put under comment per default instead?