Does the order / position of audit rule's arguments matter?

Steve Grubb sgrubb at redhat.com
Mon Jan 19 18:11:10 UTC 2015 

On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> On 15/01/19, Steve Grubb wrote:
> > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > Hello folks,
> > > 
> > >   wasn't able to find answer to the following question in the auditctl
> > > 
> > > manual page, thus checking here - does the order / position in which the
> > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
> > > the rule matter or all permutations of the arguments are allowed?
> > 
> > Yes, its a first match wins system. I tell people to order from specific
> > to
> > general. IOW, put a watch on /etc/shadow before a watch on /etc.
> 
> I don't think that answers Jan's question.  I understood the question to
> be the ordering of arguments *within* a rule.  I believe the answer is
> "no".
> 
> so:
> 	-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F 
auid!=4294967295
> -k privileged would be equivalent to:
> 	-a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F 
auid>=500
> -k privileged

If that is the case, then you want to have the fields in the order in which the 
system can decide "no" as fast as possible.

-Steve


> > -Steve
> > 
> > > IOW suppose the following rule:
> > >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k privileged
> > > 
> > > Is
> > > 
> > >   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k privileged
> > > 
> > > the only allowed form or are all the other possible argument
> > > permutations
> > > [*] also valid / supported (under assumption there isn't some option
> > > missing or some new option added of course when compared to the original
> > > rule)?
> > > 
> > > Thank you && Regards, Jan.
> > > --
> > > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> > > 
> > > [*] For example suppose five different /etc/audit/audit.rules
> > > configurations would use the forms as follows below - do all of them
> > > represent equivalent requirement / setting? (regardless how much it's
> > > likely they would be expressed in that form of)
> > > 
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > auid!=4294967295
> > > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > auid!=4294967295
> > > -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295
> > > -k
> > > privileged -a always, exit -F path/bin/ping -F auid>=500 -F
> > > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > perm=x
> > > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > perm=x -F auid>=500 ..
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list