Does the order / position of audit rule's arguments matter?

Mon Jan 19 18:19:16 UTC 2015

Thank you both for quick replies.

----- Original Message -----
> From: "Steve Grubb" <sgrubb at redhat.com>
> To: "Richard Guy Briggs" <rgb at redhat.com>
> Cc: linux-audit at redhat.com, "Jan Lieskovsky" <jlieskov at redhat.com>, "Shawn Wells" <shawn at redhat.com>
> Sent: Monday, January 19, 2015 7:11:10 PM
> Subject: Re: Does the order / position of audit rule's arguments matter?
> 
> On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> > On 15/01/19, Steve Grubb wrote:
> > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > > Hello folks,
> > > > 
> > > >   wasn't able to find answer to the following question in the auditctl
> > > > 
> > > > manual page, thus checking here - does the order / position in which
> > > > the
> > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
> > > > the rule matter or all permutations of the arguments are allowed?
> > > 
> > > Yes, its a first match wins system. I tell people to order from specific
> > > to
> > > general. IOW, put a watch on /etc/shadow before a watch on /etc.
> > 
> > I don't think that answers Jan's question.  I understood the question to
> > be the ordering of arguments *within* a rule.

Yes, was about this case. But good to know also order of rules matters
(to list them that way).

>  I believe the answer is
> > "no".
> > 
> > so:
> > 	-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> auid!=4294967295
> > -k privileged would be equivalent to:
> > 	-a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F
> auid>=500
> > -k privileged
> 
> If that is the case, then you want to have the fields in the order in which
> the
> system can decide "no" as fast as possible.

Meaning the audit rule's arguments to be sorted? Or just follow the form
as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file?
(IOW action first, then path to binary, then other -F arguments - for these
to be listed in ascending alphabetical order?)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

> 
> -Steve
> 
> 
> > > -Steve
> > > 
> > > > IOW suppose the following rule:
> > > >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > > 
> > > > auid!=4294967295 -k privileged
> > > > 
> > > > Is
> > > > 
> > > >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > > 
> > > > auid!=4294967295 -k privileged
> > > > 
> > > > the only allowed form or are all the other possible argument
> > > > permutations
> > > > [*] also valid / supported (under assumption there isn't some option
> > > > missing or some new option added of course when compared to the
> > > > original
> > > > rule)?
> > > > 
> > > > Thank you && Regards, Jan.
> > > > --
> > > > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> > > > 
> > > > [*] For example suppose five different /etc/audit/audit.rules
> > > > configurations would use the forms as follows below - do all of them
> > > > represent equivalent requirement / setting? (regardless how much it's
> > > > likely they would be expressed in that form of)
> > > > 
> > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > > auid!=4294967295
> > > > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > > auid!=4294967295
> > > > -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295
> > > > -k
> > > > privileged -a always, exit -F path/bin/ping -F auid>=500 -F
> > > > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > > perm=x
> > > > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > > perm=x -F auid>=500 ..
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rbriggs at redhat.com>
> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> > Red Hat Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> 
> 