Does the order / position of audit rule's arguments matter?
Steve Grubb
sgrubb at redhat.com
Sun Jan 25 18:05:58 UTC 2015
On Monday, January 19, 2015 01:19:16 PM Jan Lieskovsky wrote:
> Thank you both for quick replies.
>
> ----- Original Message -----
>
> > From: "Steve Grubb" <sgrubb at redhat.com>
> > To: "Richard Guy Briggs" <rgb at redhat.com>
> > Cc: linux-audit at redhat.com, "Jan Lieskovsky" <jlieskov at redhat.com>, "Shawn
> > Wells" <shawn at redhat.com> Sent: Monday, January 19, 2015 7:11:10 PM
> > Subject: Re: Does the order / position of audit rule's arguments matter?
> >
> > On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> > > On 15/01/19, Steve Grubb wrote:
> > > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > > > Hello folks,
> > > > >
> > > > > wasn't able to find answer to the following question in the
> > > > > auditctl
> > > > >
> > > > > manual page, thus checking here - does the order / position in which
> > > > > the
> > > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed
> > > > > in
> > > > > the rule matter or all permutations of the arguments are allowed?
> > > >
> > > > Yes, its a first match wins system. I tell people to order from
> > > > specific
> > > > to
> > > > general. IOW, put a watch on /etc/shadow before a watch on /etc.
> > >
> > > I don't think that answers Jan's question. I understood the question to
> > > be the ordering of arguments *within* a rule.
>
> Yes, was about this case. But good to know also order of rules matters
> (to list them that way).
>
> > I believe the answer is
> >
> > > "no".
> > >
> > > so:
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k privileged would be equivalent to:
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F
> >
> > auid>=500
> >
> > > -k privileged
> >
> > If that is the case, then you want to have the fields in the order in
> > which
> > the
> > system can decide "no" as fast as possible.
>
> Meaning the audit rule's arguments to be sorted? Or just follow the form
> as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file?
> (IOW action first, then path to binary, then other -F arguments - for these
> to be listed in ascending alphabetical order?)
Yes, the audit system is like
for each rule
if (syscall & mask)
for each field
if fval != rval
next rule
endif
done
record event
endif
done
So, by deciding "no" quickly, it can move on to the next rule to iterate over
the fields.
The stig.rules is ordered correctly and is intended that anyone that needs to
STIG a box simply copies the file "as is" to the rules.d directory. Any
problems between what the file has and what's needed should be reported here so
the file can be corrected.
-Steve
More information about the Linux-audit
mailing list