Audit rule that applies when auid >= 500

[Søren Olesen]

Hello,
 
I would like some of my audit rules to apply when auid >= 500 
 
For example consider this use case:
 
[root at localhost audit]# auditctl -v
auditctl version 1.3.1
 
[root at localhost audit]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
 
# First rule - delete all
-D
 
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 256
 
# Feel free to add below this line. See auditctl man page
 
-a exit,always -S socketcall -F a0=4 -F auid>=500 -k eq_greater_than_test
 
[root at localhost audit]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

[root at localhost audit]# auditctl -l
LIST_RULES: exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test syscall=socketcall

 
In "/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows that the rule matches "auid=500".
 
What is the syntax for creating a rule that applies when auid>=500 ?
 
 

Med venlig hilsen / kind regards

Søren Olesen
Systems Engineer

Systematic Software Engineering A/S
Søren Frichs Vej 39, DK-8000  Aarhus C
Tel.: +45 8943 2055
Fax: +45 8943 2020
Web: www.systematic.dk <blocked::http://www.systematic.dk/> 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070806/0e253502/attachment.htm>