[Fwd: Rules order]
Loredan Stancu
loredan.stancu at myclar.ro
Tue Dec 9 17:03:50 UTC 2008
Hi,
I added the following rules:
# ./sbin/auditctl -a exit,never -F path=/usr/bin/vim -F perm=x -F uid=0
# ./sbin/auditctl -a exit,always -F uid=0 -F success=1 -S execve -S open
-k root_exec
# ./sbin/auditctl -l
LIST_RULES: exit,always uid=0 success=1 (0x1) key=root_exec
syscall=open,execve
LIST_RULES: exit,never watch=/usr/bin/vim perm=x uid=0
As you can see rule with 'never' action is first introduced but in exit
table they are in reverse order. No matter in what order the rules are
inserted form command line in the exit table rules with 'never' action
are appended to the end of list making no effects.
--
Loredan Stancu | system administrator | admin at myclar.ro
MyClar Connection | http://www.myclar.ro | loredan.stancu at myclar.ro
More information about the Linux-audit
mailing list