How to make audit match only one rule?
zhu xiuming
xiumingzhu at gmail.com
Mon Jul 29 21:47:06 UTC 2013
That makes sense.
Thanks a lot
On Mon, Jul 29, 2013 at 12:45 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, July 29, 2013 11:38:15 AM zhu xiuming wrote:
> > HI
> > I have two rules in my audit rules
> > -a always,exit -F arch=b32 -S execve -k EXEC_LOG
> > -w /etc/passwd -p wra -k identity
> >
> >
> > When I enter
> > cat /etc/passwd on the console
> >
> > Both rules are matched and there is redundant information in the log. How
> > to make sure there is only one rule matched.
>
> The problem is that two different events are actually occurring. The
> granularity of the Linux audit system is at the syscall level rather than a
> higher level such as commands. The first event you get is probably the
> execve
> for /bin/cat. Then once that program starts running, it does an open
> syscall
> of /etc/passwd. So the audit system matches twice.
>
> On any single system call, the audit system only matches the first rule it
> finds. It will not match twice on a single syscall.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130729/147be668/attachment.htm>
More information about the Linux-audit
mailing list