Does the order / position of audit rule's arguments matter?

Steve Grubb sgrubb at redhat.com
Sun Jan 25 18:05:58 UTC 2015 

On Monday, January 19, 2015 01:19:16 PM Jan Lieskovsky wrote:
> Thank you both for quick replies.
> 
> ----- Original Message -----
> 
> > From: "Steve Grubb" <sgrubb at redhat.com>
> > To: "Richard Guy Briggs" <rgb at redhat.com>
> > Cc: linux-audit at redhat.com, "Jan Lieskovsky" <jlieskov at redhat.com>, "Shawn
> > Wells" <shawn at redhat.com> Sent: Monday, January 19, 2015 7:11:10 PM
> > Subject: Re: Does the order / position of audit rule's arguments matter?
> > 
> > On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> > > On 15/01/19, Steve Grubb wrote:
> > > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > > > Hello folks,
> > > > > 
> > > > >   wasn't able to find answer to the following question in the
> > > > >   auditctl
> > > > > 
> > > > > manual page, thus checking here - does the order / position in which
> > > > > the
> > > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed
> > > > > in
> > > > > the rule matter or all permutations of the arguments are allowed?
> > > > 
> > > > Yes, its a first match wins system. I tell people to order from
> > > > specific
> > > > to
> > > > general. IOW, put a watch on /etc/shadow before a watch on /etc.
> > > 
> > > I don't think that answers Jan's question.  I understood the question to
> > > be the ordering of arguments *within* a rule.
> 
> Yes, was about this case. But good to know also order of rules matters
> (to list them that way).
> 
> >  I believe the answer is
> >  
> > > "no".
> > > 
> > > so:
> > > 	-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > 
> > auid!=4294967295
> > 
> > > -k privileged would be equivalent to:
> > > 	-a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F
> > 
> > auid>=500
> > 
> > > -k privileged
> > 
> > If that is the case, then you want to have the fields in the order in
> > which
> > the
> > system can decide "no" as fast as possible.
> 
> Meaning the audit rule's arguments to be sorted? Or just follow the form
> as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file?
> (IOW action first, then path to binary, then other -F arguments - for these
> to be listed in ascending alphabetical order?)

Yes, the audit system is like
for each rule
  if (syscall & mask)
     for each field
        if fval != rval
           next rule
        endif
     done
     record event
  endif
done

So, by deciding "no" quickly, it can move on to the next rule to iterate over 
the fields. 

The stig.rules is ordered correctly and is intended that anyone that needs to 
STIG a box simply copies the file "as is" to the rules.d directory. Any 
problems between what the file has and what's needed should be reported here so 
the file can be corrected.

-Steve

More information about the Linux-audit mailing list