Does the order / position of audit rule's arguments matter?

Richard Guy Briggs rgb at redhat.com
Mon Jan 19 18:06:42 UTC 2015 

On 15/01/19, Steve Grubb wrote:
> On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > Hello folks,
> > 
> >   wasn't able to find answer to the following question in the auditctl
> > manual page, thus checking here - does the order / position in which the
> > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
> > the rule matter or all permutations of the arguments are allowed?
> 
> Yes, its a first match wins system. I tell people to order from specific to 
> general. IOW, put a watch on /etc/shadow before a watch on /etc.

I don't think that answers Jan's question.  I understood the question to
be the ordering of arguments *within* a rule.  I believe the answer is
"no".

so:
	-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
would be equivalent to:
	-a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F auid>=500 -k privileged

> -Steve
> 
> > IOW suppose the following rule:
> >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > auid!=4294967295 -k privileged
> > 
> > Is
> >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > auid!=4294967295 -k privileged
> > 
> > the only allowed form or are all the other possible argument permutations
> > [*] also valid / supported (under assumption there isn't some option
> > missing or some new option added of course when compared to the original
> > rule)?
> > 
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> > 
> > [*] For example suppose five different /etc/audit/audit.rules configurations
> > would use the forms as follows below - do all of them represent equivalent
> > requirement / setting? (regardless how much it's likely they would be
> > expressed in that form of)
> > 
> > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295
> > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295
> > -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -k
> > privileged -a always, exit -F path/bin/ping -F auid>=500 -F
> > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x
> > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > perm=x -F auid>=500 ..

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list