On Fri, Sep 08, 2023 at 04:56:05PM +0200, Pablo Neira Ayuso wrote: > On Fri, Sep 08, 2023 at 02:22:29AM +0200, Phil Sutter wrote: > > Perform ruleset modifications and compare the NETFILTER_CFG type > > notifications emitted by auditd match expectations. > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > --- > > Calling auditd means enabling audit logging in kernel for the remaining > > uptime. So this test will slow down following ones or even cause > > spurious failures due to unexpected kernel log entries, timeouts, etc. > > > > Is there a way to test this in a less intrusive way? Maybe fence this > > test so it does not run automatically (is it any good having it in > > kernel then)? > > I think you could make a small libmnl program to listen to > NETLINK_AUDIT events and filter only the logs you need from there. We > already have a few programs like this in the selftest folder. Turns out it is indeed possible to turn audit logging off again. I was obviously misled from auditd not doing it (when killed at least). Calling 'auditctl -e 0' inside the EXIT trap does the trick. Implementing a custom audit listener tailored to our case is probably still a good idea, but at least the biggest obstacle is gone IMO. Thanks, Phil
