Does the order / position of audit rule's arguments matter?
Jan Lieskovsky
jlieskov at redhat.com
Mon Jan 19 17:57:11 UTC 2015
Hello folks,
wasn't able to find answer to the following question in the auditctl
manual page, thus checking here - does the order / position in which the
auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
the rule matter or all permutations of the arguments are allowed?
IOW suppose the following rule:
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Is
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
the only allowed form or are all the other possible argument permutations [*] also
valid / supported (under assumption there isn't some option missing or some new option
added of course when compared to the original rule)?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] For example suppose five different /etc/audit/audit.rules configurations would use the
forms as follows below - do all of them represent equivalent requirement / setting?
(regardless how much it's likely they would be expressed in that form of)
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit
-F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always, exit -F path/bin/ping
-F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x
-F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x -F auid>=500
..
More information about the Linux-audit
mailing list