public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* Audit rule that applies when auid >= 500
@ 2007-08-06 13:48 Søren Olesen
  2007-08-06 22:19 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Søren Olesen @ 2007-08-06 13:48 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1484 bytes --]

Hello,
 
I would like some of my audit rules to apply when auid >= 500 
 
For example consider this use case:
 
[root@localhost audit]# auditctl -v
auditctl version 1.3.1
 
[root@localhost audit]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
 
# First rule - delete all
-D
 
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 256
 
# Feel free to add below this line. See auditctl man page
 
-a exit,always -S socketcall -F a0=4 -F auid>=500 -k eq_greater_than_test
 
[root@localhost audit]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

[root@localhost audit]# auditctl -l
LIST_RULES: exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test syscall=socketcall

 
In "/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows that the rule matches "auid=500".
 
What is the syntax for creating a rule that applies when auid>=500 ?
 
 

Med venlig hilsen / kind regards

Søren Olesen
Systems Engineer

Systematic Software Engineering A/S
Søren Frichs Vej 39, DK-8000  Aarhus C
Tel.: +45 8943 2055
Fax: +45 8943 2020
Web: www.systematic.dk <blocked::http://www.systematic.dk/> 

 

[-- Attachment #1.2: Type: text/html, Size: 6704 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Audit rule that applies when auid >= 500
  2007-08-06 13:48 Audit rule that applies when auid >= 500 Søren Olesen
@ 2007-08-06 22:19 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-08-06 22:19 UTC (permalink / raw)
  To: linux-audit

On Monday 06 August 2007 09:48:41 am Søren Olesen wrote:
> [root@localhost audit]# auditctl -v
> auditctl version 1.3.1

There may have been a bug in that version. I remember a problem where it 
wasn't upgrading the rule from the old kind to the new kind correctly. (It 
tries to use the old rule style for communicating with the kernel for 
backward compatibility with old kernels - pre-2.6.16) There is slightly newer 
RHEL5 audit packages here: 

http://people.redhat.com/sgrubb/files/lspp/

But the RHEL5.1 package 1.5.5-5 should work fine:

#  auditctl -a exit,always -S open -F "auid>=500"
#  auditctl -l
LIST_RULES: exit,always auid>=500 (0x1f4) syscall=open

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-08-06 22:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-06 13:48 Audit rule that applies when auid >= 500 Søren Olesen
2007-08-06 22:19 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox