How to make audit match only one rule?
Steve Grubb
sgrubb at redhat.com
Mon Jul 29 19:45:19 UTC 2013
On Monday, July 29, 2013 11:38:15 AM zhu xiuming wrote:
> HI
> I have two rules in my audit rules
> -a always,exit -F arch=b32 -S execve -k EXEC_LOG
> -w /etc/passwd -p wra -k identity
>
>
> When I enter
> cat /etc/passwd on the console
>
> Both rules are matched and there is redundant information in the log. How
> to make sure there is only one rule matched.
The problem is that two different events are actually occurring. The
granularity of the Linux audit system is at the syscall level rather than a
higher level such as commands. The first event you get is probably the execve
for /bin/cat. Then once that program starts running, it does an open syscall
of /etc/passwd. So the audit system matches twice.
On any single system call, the audit system only matches the first rule it
finds. It will not match twice on a single syscall.
-Steve
More information about the Linux-audit
mailing list