The relationship between audit rules

All of lore.kernel.org
 help / color / mirror / Atom feed

* The relationship between audit rules
@ 2013-08-21 19:35 zhu xiuming
  2013-08-21 20:00 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: zhu xiuming @ 2013-08-21 19:35 UTC (permalink / raw)
  To: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 522 bytes --]

I am little confused by the relationship between audit rules.

I want to log all other users command history and read/write passwd except
me (auid 16382)

However, it seems I have to add -F auid!=16382 on  both rules.

-a always,exit -F arch=b32 -S execve  -k EXEC_log
 -w /etc/passwd           -p wr  -k identity_write

I tried to add following rules "before" the two rules above.
-a never,exit -F auid=16382

However, it does not work at all.

So, the rules in audit rules seem independent from each other.  Am I right?

[-- Attachment #1.2: Type: text/html, Size: 710 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: The relationship between audit rules
  2013-08-21 19:35 The relationship between audit rules zhu xiuming
@ 2013-08-21 20:00 ` Steve Grubb
  2013-08-21 20:36   ` zhu xiuming
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2013-08-21 20:00 UTC (permalink / raw)
  To: linux-audit

On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
> I am little confused by the relationship between audit rules.
> 
> I want to log all other users command history and read/write passwd except
> me (auid 16382)
> 
> However, it seems I have to add -F auid!=16382 on  both rules.
> 
> -a always,exit -F arch=b32 -S execve  -k EXEC_log
>  -w /etc/passwd           -p wr  -k identity_write
> 
> I tried to add following rules "before" the two rules above.
> -a never,exit -F auid=16382
> 
> However, it does not work at all.
> 
> So, the rules in audit rules seem independent from each other.  Am I right?

For each filter, the first match wins. So, you have to organize the rules from 
specific to general in case there's a possibility of triggering two or more 
rules.

You could do this:

-a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log

or

-a never,exit -F arch=b32 -S all -F auid=16382
-a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F key=EXEC_log

They should be equivalent. Also, the only time you need b32 is when you have 
an x86_64 system.  In that case you need another set of rules with b64 since 
64 bit systems normally have both 32 and 64 bit interfaces. If you have true 
32 bit system just delete the field.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: The relationship between audit rules
  2013-08-21 20:00 ` Steve Grubb
@ 2013-08-21 20:36   ` zhu xiuming
  2013-08-21 21:35     ` zhu xiuming
  0 siblings, 1 reply; 4+ messages in thread
From: zhu xiuming @ 2013-08-21 20:36 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 1560 bytes --]

Got it
Thanks a lot


On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
> > I am little confused by the relationship between audit rules.
> >
> > I want to log all other users command history and read/write passwd
> except
> > me (auid 16382)
> >
> > However, it seems I have to add -F auid!=16382 on  both rules.
> >
> > -a always,exit -F arch=b32 -S execve  -k EXEC_log
> >  -w /etc/passwd           -p wr  -k identity_write
> >
> > I tried to add following rules "before" the two rules above.
> > -a never,exit -F auid=16382
> >
> > However, it does not work at all.
> >
> > So, the rules in audit rules seem independent from each other.  Am I
> right?
>
> For each filter, the first match wins. So, you have to organize the rules
> from
> specific to general in case there's a possibility of triggering two or more
> rules.
>
> You could do this:
>
> -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log
> -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log
>
> or
>
> -a never,exit -F arch=b32 -S all -F auid=16382
> -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
> -a always,exit -F arch=b32 -S execve -F key=EXEC_log
>
> They should be equivalent. Also, the only time you need b32 is when you
> have
> an x86_64 system.  In that case you need another set of rules with b64
> since
> 64 bit systems normally have both 32 and 64 bit interfaces. If you have
> true
> 32 bit system just delete the field.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 2152 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: The relationship between audit rules
  2013-08-21 20:36   ` zhu xiuming
@ 2013-08-21 21:35     ` zhu xiuming
  0 siblings, 0 replies; 4+ messages in thread
From: zhu xiuming @ 2013-08-21 21:35 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 2237 bytes --]

I just test it
it seems

It only works for syscalls.
I cannot see my record on exec_log
but pwd_log still jumps out.



 auditctl -l
LIST_RULES: exit,never arch=1073741827 (0x40000003) auid=16382 syscall=all
LIST_RULES: exit,never arch=3221225534 (0xc000003e) auid= 16382 syscall=all
LIST_RULES: exit,always arch=1073741827 (0x40000003) key=EXEC_log
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=EXEC_log
syscall=execve
LIST_RULES: exit,always watch=/etc/passwd perm=rw key=pwd_log


Did I miss something?




On Wed, Aug 21, 2013 at 1:36 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

> Got it
> Thanks a lot
>
>
> On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
>> > I am little confused by the relationship between audit rules.
>> >
>> > I want to log all other users command history and read/write passwd
>> except
>> > me (auid 16382)
>> >
>> > However, it seems I have to add -F auid!=16382 on  both rules.
>> >
>> > -a always,exit -F arch=b32 -S execve  -k EXEC_log
>> >  -w /etc/passwd           -p wr  -k identity_write
>> >
>> > I tried to add following rules "before" the two rules above.
>> > -a never,exit -F auid=16382
>> >
>> > However, it does not work at all.
>> >
>> > So, the rules in audit rules seem independent from each other.  Am I
>> right?
>>
>> For each filter, the first match wins. So, you have to organize the rules
>> from
>> specific to general in case there's a possibility of triggering two or
>> more
>> rules.
>>
>> You could do this:
>>
>> -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F
>> key=pwd_log
>> -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log
>>
>> or
>>
>> -a never,exit -F arch=b32 -S all -F auid=16382
>> -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
>> -a always,exit -F arch=b32 -S execve -F key=EXEC_log
>>
>> They should be equivalent. Also, the only time you need b32 is when you
>> have
>> an x86_64 system.  In that case you need another set of rules with b64
>> since
>> 64 bit systems normally have both 32 and 64 bit interfaces. If you have
>> true
>> 32 bit system just delete the field.
>>
>> -Steve
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 3224 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-08-21 21:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-21 19:35 The relationship between audit rules zhu xiuming
2013-08-21 20:00 ` Steve Grubb
2013-08-21 20:36   ` zhu xiuming
2013-08-21 21:35     ` zhu xiuming

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.