The relationship between audit rules
zhu xiuming
xiumingzhu at gmail.com
Wed Aug 21 19:35:01 UTC 2013
I am little confused by the relationship between audit rules.
I want to log all other users command history and read/write passwd except
me (auid 16382)
However, it seems I have to add -F auid!=16382 on both rules.
-a always,exit -F arch=b32 -S execve -k EXEC_log
-w /etc/passwd -p wr -k identity_write
I tried to add following rules "before" the two rules above.
-a never,exit -F auid=16382
However, it does not work at all.
So, the rules in audit rules seem independent from each other. Am I right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130821/f5722d9d/attachment.htm>
More information about the Linux-audit
mailing list