MAC_IPSEC_EVENT Logged without rules
Steve Grubb
sgrubb at redhat.com
Mon Jan 9 16:46:15 UTC 2012
On Thursday, January 05, 2012 10:26:10 PM Diego Woitasen wrote:
> Hi,
> I have a machine with IPSEC running (Strongswan) and audit to
> register some user events. The weird thing is that I'm getting this
> messages logged without having any rule:
>
> Jan 6 00:21:43 nodovpn668 audispd: node=nodovpn668
> type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound
> src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15)
> seqno=1463943698
>
> My workaround is: auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT
>
> Bug or Am I missing something?
This is correct. There are 2 kinds of events: mandatory and discretionary. There
are a number of user space and kernel events that are generated no matter what,
like a user logging into a machine. But there are also some events that the
admin may not want and they need to be excluded. So, adding an exclude rule is
the right thing to do if you don't want them.
-Steve
More information about the Linux-audit
mailing list