From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: The relationship between audit rules Date: Wed, 21 Aug 2013 16:00:56 -0400 Message-ID: <2301880.gVzkDbq6Ft@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote: > I am little confused by the relationship between audit rules. > > I want to log all other users command history and read/write passwd except > me (auid 16382) > > However, it seems I have to add -F auid!=16382 on both rules. > > -a always,exit -F arch=b32 -S execve -k EXEC_log > -w /etc/passwd -p wr -k identity_write > > I tried to add following rules "before" the two rules above. > -a never,exit -F auid=16382 > > However, it does not work at all. > > So, the rules in audit rules seem independent from each other. Am I right? For each filter, the first match wins. So, you have to organize the rules from specific to general in case there's a possibility of triggering two or more rules. You could do this: -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log or -a never,exit -F arch=b32 -S all -F auid=16382 -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log -a always,exit -F arch=b32 -S execve -F key=EXEC_log They should be equivalent. Also, the only time you need b32 is when you have an x86_64 system. In that case you need another set of rules with b64 since 64 bit systems normally have both 32 and 64 bit interfaces. If you have true 32 bit system just delete the field. -Steve