From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Does the order / position of audit rule's arguments matter?
Date: Mon, 19 Jan 2015 12:59:47 -0500
Message-ID: <2664220.tArxC4c8Gx@x2>
References: <2022844409.13837392.1421690231611.JavaMail.zimbra@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2022844409.13837392.1421690231611.JavaMail.zimbra@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Jan Lieskovsky <jlieskov@redhat.com>, Shawn Wells <shawn@redhat.com>
List-Id: linux-audit@redhat.com

On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> Hello folks,
> 
>   wasn't able to find answer to the following question in the auditctl
> manual page, thus checking here - does the order / position in which the
> auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in
> the rule matter or all permutations of the arguments are allowed?

Yes, its a first match wins system. I tell people to order from specific to 
general. IOW, put a watch on /etc/shadow before a watch on /etc.

-Steve

> IOW suppose the following rule:
>   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> auid!=4294967295 -k privileged
> 
> Is
>   -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> auid!=4294967295 -k privileged
> 
> the only allowed form or are all the other possible argument permutations
> [*] also valid / supported (under assumption there isn't some option
> missing or some new option added of course when compared to the original
> rule)?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
> 
> [*] For example suppose five different /etc/audit/audit.rules configurations
> would use the forms as follows below - do all of them represent equivalent
> requirement / setting? (regardless how much it's likely they would be
> expressed in that form of)
> 
> -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295
> -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295
> -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -k
> privileged -a always, exit -F path/bin/ping -F auid>=500 -F
> auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x
> -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> perm=x -F auid>=500 ..
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit