<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.6000.16481" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007>Hello,</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007>I would like some of my audit rules to apply when auid >= 500 </SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007>For example consider this use case:</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007>[root@localhost audit]# auditctl -v<BR>auditctl version 1.3.1</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007>[root@localhost audit]# cat /etc/audit/audit.rules<BR># This file contains the auditctl rules that are loaded<BR># whenever the audit daemon is started via the initscripts.<BR># The rules are simply the parameters that would be passed<BR># to auditctl.</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007># First rule - delete all<BR>-D</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007># Increase the buffers to survive stress events.<BR># Make this bigger for busy systems<BR>-b 256</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007># Feel free to add below this line. See auditctl man page</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007>-a exit,always -S socketcall -F a0=4 -F auid>=500 -k eq_greater_than_test</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007>[root@localhost audit]# /etc/init.d/auditd restart<BR>Stopping auditd: [ OK ]<BR>Starting auditd: [ OK ]<BR></SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007>[root@localhost audit]# auditctl -l<BR>LIST_RULES: exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test syscall=socketcall<BR></DIV></SPAN></FONT> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007><FONT face=Arial></FONT> </DIV></SPAN></FONT> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007>In "/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows that the rule matches "auid=500".</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007>What is the syntax for creating a rule that applies when auid>=500 ?</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=793573513-06082007></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=793573513-06082007> </DIV></SPAN></FONT> <DIV align=left> <P align=left><FONT face=Verdana color=gray size=1><SPAN lang=EN-GB style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana">Med venlig hilsen / kind regards</SPAN></FONT><FONT face=Arial color=navy size=2><SPAN lang=EN-GB style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></FONT></P> <P><?XML:NAMESPACE PREFIX = U1 /><U1:PERSONNAME u2:st="on"><FONT face=Verdana color=#0080ff size=2><SPAN lang=EN-GB style="FONT-SIZE: 10pt; COLOR: #0080ff; FONT-FAMILY: Verdana"></SPAN></FONT></U1:PERSONNAME><FONT face=Verdana color=#0080ff size=2><SPAN lang=EN-GB style="FONT-SIZE: 10pt; COLOR: #0080ff; FONT-FAMILY: Verdana"><STRONG>Søren Olesen</STRONG><BR></SPAN></FONT><FONT face=Verdana color=gray size=1><SPAN lang=EN-GB style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana">Systems Engineer</SPAN></FONT></P> <P><FONT face=Verdana color=gray size=1><SPAN lang=EN-GB style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana"></SPAN></FONT><FONT face=Verdana color=gray size=1><SPAN lang=EN-GB style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana">Systematic Software Engineering A/S<BR>Søren Frichs Vej 39, DK-8000 <?XML:NAMESPACE PREFIX = U3 /><U3:PLACE u4:st="on"><U1:PLACE u2:st="on"><?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><st1:place w:st="on">Aarhus</U1:PLACE></U3:PLACE></st1:place> C<BR>Tel.:</SPAN></FONT><FONT face=Arial color=gray size=2><SPAN lang=EN-GB style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial"> </SPAN></FONT><FONT face=Verdana color=gray size=1><SPAN lang=EN-GB style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana">+45 8943 2055<BR>Fax: +45 8943 2020<BR>Web: </SPAN></FONT><FONT face=Verdana color=gray size=1><SPAN style="FONT-SIZE: 7.5pt; COLOR: gray; FONT-FAMILY: Verdana"><A title="blocked::http://www.systematic.dk/ http://www.systematic.dk/ blocked::http://www.systematic.dk/ http://www.systematic.dk/" href="blocked::http://www.systematic.dk/"><SPAN lang=EN-GB title=blocked::http://www.systematic.dk/><SPAN title="blocked::http://www.systematic.dk/ http://www.systematic.dk/ blocked::http://www.systematic.dk/ http://www.systematic.dk/"><SPAN title=blocked::http://www.systematic.dk/><SPAN title=blocked::http://www.systematic.dk/>www.systematic.dk</SPAN></SPAN></SPAN></SPAN></A></SPAN></FONT><SPAN lang=EN-GB><o:p></o:p></SPAN></P></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>