The relationship between audit rules

zhu xiuming xiumingzhu at gmail.com
Wed Aug 21 21:35:44 UTC 2013 

I just test it
it seems

It only works for syscalls.
I cannot see my record on exec_log
but pwd_log still jumps out.



 auditctl -l
LIST_RULES: exit,never arch=1073741827 (0x40000003) auid=16382 syscall=all
LIST_RULES: exit,never arch=3221225534 (0xc000003e) auid= 16382 syscall=all
LIST_RULES: exit,always arch=1073741827 (0x40000003) key=EXEC_log
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=EXEC_log
syscall=execve
LIST_RULES: exit,always watch=/etc/passwd perm=rw key=pwd_log


Did I miss something?




On Wed, Aug 21, 2013 at 1:36 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:

> Got it
> Thanks a lot
>
>
> On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
>> > I am little confused by the relationship between audit rules.
>> >
>> > I want to log all other users command history and read/write passwd
>> except
>> > me (auid 16382)
>> >
>> > However, it seems I have to add -F auid!=16382 on  both rules.
>> >
>> > -a always,exit -F arch=b32 -S execve  -k EXEC_log
>> >  -w /etc/passwd           -p wr  -k identity_write
>> >
>> > I tried to add following rules "before" the two rules above.
>> > -a never,exit -F auid=16382
>> >
>> > However, it does not work at all.
>> >
>> > So, the rules in audit rules seem independent from each other.  Am I
>> right?
>>
>> For each filter, the first match wins. So, you have to organize the rules
>> from
>> specific to general in case there's a possibility of triggering two or
>> more
>> rules.
>>
>> You could do this:
>>
>> -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F
>> key=pwd_log
>> -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log
>>
>> or
>>
>> -a never,exit -F arch=b32 -S all -F auid=16382
>> -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
>> -a always,exit -F arch=b32 -S execve -F key=EXEC_log
>>
>> They should be equivalent. Also, the only time you need b32 is when you
>> have
>> an x86_64 system.  In that case you need another set of rules with b64
>> since
>> 64 bit systems normally have both 32 and 64 bit interfaces. If you have
>> true
>> 32 bit system just delete the field.
>>
>> -Steve
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130821/5510a427/attachment.htm>

More information about the Linux-audit mailing list