* The relationship between audit rules @ 2013-08-21 19:35 zhu xiuming 2013-08-21 20:00 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: zhu xiuming @ 2013-08-21 19:35 UTC (permalink / raw) To: Linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 522 bytes --] I am little confused by the relationship between audit rules. I want to log all other users command history and read/write passwd except me (auid 16382) However, it seems I have to add -F auid!=16382 on both rules. -a always,exit -F arch=b32 -S execve -k EXEC_log -w /etc/passwd -p wr -k identity_write I tried to add following rules "before" the two rules above. -a never,exit -F auid=16382 However, it does not work at all. So, the rules in audit rules seem independent from each other. Am I right? [-- Attachment #1.2: Type: text/html, Size: 710 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: The relationship between audit rules 2013-08-21 19:35 The relationship between audit rules zhu xiuming @ 2013-08-21 20:00 ` Steve Grubb 2013-08-21 20:36 ` zhu xiuming 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2013-08-21 20:00 UTC (permalink / raw) To: linux-audit On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote: > I am little confused by the relationship between audit rules. > > I want to log all other users command history and read/write passwd except > me (auid 16382) > > However, it seems I have to add -F auid!=16382 on both rules. > > -a always,exit -F arch=b32 -S execve -k EXEC_log > -w /etc/passwd -p wr -k identity_write > > I tried to add following rules "before" the two rules above. > -a never,exit -F auid=16382 > > However, it does not work at all. > > So, the rules in audit rules seem independent from each other. Am I right? For each filter, the first match wins. So, you have to organize the rules from specific to general in case there's a possibility of triggering two or more rules. You could do this: -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log or -a never,exit -F arch=b32 -S all -F auid=16382 -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log -a always,exit -F arch=b32 -S execve -F key=EXEC_log They should be equivalent. Also, the only time you need b32 is when you have an x86_64 system. In that case you need another set of rules with b64 since 64 bit systems normally have both 32 and 64 bit interfaces. If you have true 32 bit system just delete the field. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: The relationship between audit rules 2013-08-21 20:00 ` Steve Grubb @ 2013-08-21 20:36 ` zhu xiuming 2013-08-21 21:35 ` zhu xiuming 0 siblings, 1 reply; 4+ messages in thread From: zhu xiuming @ 2013-08-21 20:36 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 1560 bytes --] Got it Thanks a lot On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote: > > I am little confused by the relationship between audit rules. > > > > I want to log all other users command history and read/write passwd > except > > me (auid 16382) > > > > However, it seems I have to add -F auid!=16382 on both rules. > > > > -a always,exit -F arch=b32 -S execve -k EXEC_log > > -w /etc/passwd -p wr -k identity_write > > > > I tried to add following rules "before" the two rules above. > > -a never,exit -F auid=16382 > > > > However, it does not work at all. > > > > So, the rules in audit rules seem independent from each other. Am I > right? > > For each filter, the first match wins. So, you have to organize the rules > from > specific to general in case there's a possibility of triggering two or more > rules. > > You could do this: > > -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log > -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log > > or > > -a never,exit -F arch=b32 -S all -F auid=16382 > -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log > -a always,exit -F arch=b32 -S execve -F key=EXEC_log > > They should be equivalent. Also, the only time you need b32 is when you > have > an x86_64 system. In that case you need another set of rules with b64 > since > 64 bit systems normally have both 32 and 64 bit interfaces. If you have > true > 32 bit system just delete the field. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 2152 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: The relationship between audit rules 2013-08-21 20:36 ` zhu xiuming @ 2013-08-21 21:35 ` zhu xiuming 0 siblings, 0 replies; 4+ messages in thread From: zhu xiuming @ 2013-08-21 21:35 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 2237 bytes --] I just test it it seems It only works for syscalls. I cannot see my record on exec_log but pwd_log still jumps out. auditctl -l LIST_RULES: exit,never arch=1073741827 (0x40000003) auid=16382 syscall=all LIST_RULES: exit,never arch=3221225534 (0xc000003e) auid= 16382 syscall=all LIST_RULES: exit,always arch=1073741827 (0x40000003) key=EXEC_log syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=EXEC_log syscall=execve LIST_RULES: exit,always watch=/etc/passwd perm=rw key=pwd_log Did I miss something? On Wed, Aug 21, 2013 at 1:36 PM, zhu xiuming <xiumingzhu@gmail.com> wrote: > Got it > Thanks a lot > > > On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote: >> > I am little confused by the relationship between audit rules. >> > >> > I want to log all other users command history and read/write passwd >> except >> > me (auid 16382) >> > >> > However, it seems I have to add -F auid!=16382 on both rules. >> > >> > -a always,exit -F arch=b32 -S execve -k EXEC_log >> > -w /etc/passwd -p wr -k identity_write >> > >> > I tried to add following rules "before" the two rules above. >> > -a never,exit -F auid=16382 >> > >> > However, it does not work at all. >> > >> > So, the rules in audit rules seem independent from each other. Am I >> right? >> >> For each filter, the first match wins. So, you have to organize the rules >> from >> specific to general in case there's a possibility of triggering two or >> more >> rules. >> >> You could do this: >> >> -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F >> key=pwd_log >> -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log >> >> or >> >> -a never,exit -F arch=b32 -S all -F auid=16382 >> -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log >> -a always,exit -F arch=b32 -S execve -F key=EXEC_log >> >> They should be equivalent. Also, the only time you need b32 is when you >> have >> an x86_64 system. In that case you need another set of rules with b64 >> since >> 64 bit systems normally have both 32 and 64 bit interfaces. If you have >> true >> 32 bit system just delete the field. >> >> -Steve >> > > [-- Attachment #1.2: Type: text/html, Size: 3224 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-08-21 21:35 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-08-21 19:35 The relationship between audit rules zhu xiuming 2013-08-21 20:00 ` Steve Grubb 2013-08-21 20:36 ` zhu xiuming 2013-08-21 21:35 ` zhu xiuming
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.