Question - Rule Syntax
Steve Grubb
sgrubb at redhat.com
Tue Jan 3 14:13:15 UTC 2012
On Thursday, December 22, 2011 04:19:34 PM Bryan Jacobs wrote:
> I am attempting to create a rule that will audit privileged
> commands for UID's greater than 500 but ignore one particular user that
> falls under this rule. The user I am trying to ignore is the only user
> that should be touching the file.
>
> Below is the rule.
>
> #### BEGIN RULE SNIP ####
>
> ## Ensure auditd Collects Information on the Use of Privileged Commands
>
> -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
> auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
>
> #### END RULE SNIP ####
>
> Is the rule syntax above correct?
This looks correct to me.
-Steve
More information about the Linux-audit
mailing list