The relationship between audit rules
Steve Grubb
sgrubb at redhat.com
Wed Aug 21 20:00:56 UTC 2013
On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
> I am little confused by the relationship between audit rules.
>
> I want to log all other users command history and read/write passwd except
> me (auid 16382)
>
> However, it seems I have to add -F auid!=16382 on both rules.
>
> -a always,exit -F arch=b32 -S execve -k EXEC_log
> -w /etc/passwd -p wr -k identity_write
>
> I tried to add following rules "before" the two rules above.
> -a never,exit -F auid=16382
>
> However, it does not work at all.
>
> So, the rules in audit rules seem independent from each other. Am I right?
For each filter, the first match wins. So, you have to organize the rules from
specific to general in case there's a possibility of triggering two or more
rules.
You could do this:
-a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log
or
-a never,exit -F arch=b32 -S all -F auid=16382
-a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F key=EXEC_log
They should be equivalent. Also, the only time you need b32 is when you have
an x86_64 system. In that case you need another set of rules with b64 since
64 bit systems normally have both 32 and 64 bit interfaces. If you have true
32 bit system just delete the field.
-Steve
More information about the Linux-audit
mailing list