From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-1?Q?S=F8ren_Olesen?= Subject: Audit rule that applies when auid >= 500 Date: Mon, 6 Aug 2007 15:48:41 +0200 Message-ID: <1F73BC0657C6724ABC50790EE83722B5403AFD@exch1aar> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0725587077==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l76DpMcw015760 for ; Mon, 6 Aug 2007 09:51:22 -0400 Received: from bruce.systematic.dk (bruce.systematic.dk [212.130.89.130]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l76DpGmD029925 for ; Mon, 6 Aug 2007 09:51:16 -0400 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0725587077== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C7D830.7F846728" This is a multi-part message in MIME format. ------_=_NextPart_001_01C7D830.7F846728 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, =20 I would like some of my audit rules to apply when auid >=3D 500=20 =20 For example consider this use case: =20 [root@localhost audit]# auditctl -v auditctl version 1.3.1 =20 [root@localhost audit]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. =20 # First rule - delete all -D =20 # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 256 =20 # Feel free to add below this line. See auditctl man page =20 -a exit,always -S socketcall -F a0=3D4 -F auid>=3D500 -k = eq_greater_than_test =20 [root@localhost audit]# /etc/init.d/auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] [root@localhost audit]# auditctl -l LIST_RULES: exit,always a0=3D4 (0x4) auid=3D500 (0x1f4) = key=3Deq_greater_than_test syscall=3Dsocketcall =20 In "/etc/audit/audit.rules" I specify that "auid>=3D500" but "auditctl = -l" shows that the rule matches "auid=3D500". =20 What is the syntax for creating a rule that applies when auid>=3D500 ? =20 =20 Med venlig hilsen / kind regards S=F8ren Olesen Systems Engineer Systematic Software Engineering A/S S=F8ren Frichs Vej 39, DK-8000 Aarhus C Tel.: +45 8943 2055 Fax: +45 8943 2020 Web: www.systematic.dk =20 =20 ------_=_NextPart_001_01C7D830.7F846728 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
 
I = would like some of=20 my audit rules to apply when auid >=3D 500
 
For = example consider=20 this use case:
 
[root@localhost audit]# auditctl = -v
auditctl version=20 1.3.1
 
[root@localhost audit]# cat = /etc/audit/audit.rules
#=20 This file contains the auditctl rules that are loaded
# whenever the = audit=20 daemon is started via the initscripts.
# The rules are simply the = parameters=20 that would be passed
# to auditctl.
 
# First rule=20 - delete all
-D
 
# Increase=20 the buffers to survive stress events.
# Make this bigger for busy=20 systems
-b 256
 
# Feel free=20 to add below this line. See auditctl man page
 
-a=20 exit,always -S socketcall -F a0=3D4 -F auid>=3D500 -k=20 eq_greater_than_test
 
[root@localhost audit]# /etc/init.d/auditd=20 restart
Stopping=20 auditd:           =             &= nbsp;           &n= bsp;      =20 [  OK  ]
Starting=20 auditd:           =             &= nbsp;           &n= bsp;      =20 [  OK  ]
[root@localhost audit]# auditctl = -l
LIST_RULES:=20 exit,always a0=3D4 (0x4) auid=3D500 (0x1f4) key=3Deq_greater_than_test=20 syscall=3Dsocketcall
 
In=20 "/etc/audit/audit.rules" I specify that "auid>=3D500" but "auditctl = -l" shows=20 that the rule matches "auid=3D500".
 
What = is the syntax=20 for creating a rule that applies when auid>=3D500 = ?
 
 

Med venlig = hilsen /=20 kind regards

S=F8ren=20 Olesen
Systems=20 Engineer

Systematic = Software=20 Engineering A/S
S=F8ren Frichs Vej 39, DK-8000  Aarhus = C
Tel.: +45 8943=20 2055
Fax: +45 8943 2020
Web: www.systematic.dk

 
------_=_NextPart_001_01C7D830.7F846728-- --===============0725587077== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0725587077==--