Audit rule that applies when auid >= 500

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: "Søren Olesen" <son@systematic.dk>
To: linux-audit@redhat.com
Subject: Audit rule that applies when auid >= 500
Date: Mon, 6 Aug 2007 15:48:41 +0200	[thread overview]
Message-ID: <1F73BC0657C6724ABC50790EE83722B5403AFD@exch1aar> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 1484 bytes --]

Hello,
 
I would like some of my audit rules to apply when auid >= 500 
 
For example consider this use case:
 
[root@localhost audit]# auditctl -v
auditctl version 1.3.1
 
[root@localhost audit]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
 
# First rule - delete all
-D
 
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 256
 
# Feel free to add below this line. See auditctl man page
 
-a exit,always -S socketcall -F a0=4 -F auid>=500 -k eq_greater_than_test
 
[root@localhost audit]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

[root@localhost audit]# auditctl -l
LIST_RULES: exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test syscall=socketcall

 
In "/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows that the rule matches "auid=500".
 
What is the syntax for creating a rule that applies when auid>=500 ?
 
 

Med venlig hilsen / kind regards

Søren Olesen
Systems Engineer

Systematic Software Engineering A/S
Søren Frichs Vej 39, DK-8000  Aarhus C
Tel.: +45 8943 2055
Fax: +45 8943 2020
Web: www.systematic.dk <blocked::http://www.systematic.dk/> 

 

[-- Attachment #1.2: Type: text/html, Size: 6704 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next             reply	other threads:[~2007-08-06 13:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-06 13:48 Søren Olesen [this message]
2007-08-06 22:19 ` Audit rule that applies when auid >= 500 Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1F73BC0657C6724ABC50790EE83722B5403AFD@exch1aar \
    --to=son@systematic.dk \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox