From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Does the order / position of audit rule's arguments matter? Date: Mon, 19 Jan 2015 13:11:10 -0500 Message-ID: <3135589.6d4bqcRY46@x2> References: <2022844409.13837392.1421690231611.JavaMail.zimbra@redhat.com> <2664220.tArxC4c8Gx@x2> <20150119180642.GS29998@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20150119180642.GS29998@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: Jan Lieskovsky , Shawn Wells , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote: > On 15/01/19, Steve Grubb wrote: > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote: > > > Hello folks, > > > > > > wasn't able to find answer to the following question in the auditctl > > > > > > manual page, thus checking here - does the order / position in which the > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in > > > the rule matter or all permutations of the arguments are allowed? > > > > Yes, its a first match wins system. I tell people to order from specific > > to > > general. IOW, put a watch on /etc/shadow before a watch on /etc. > > I don't think that answers Jan's question. I understood the question to > be the ordering of arguments *within* a rule. I believe the answer is > "no". > > so: > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 > -k privileged would be equivalent to: > -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F auid>=500 > -k privileged If that is the case, then you want to have the fields in the order in which the system can decide "no" as fast as possible. -Steve > > -Steve > > > > > IOW suppose the following rule: > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > > > auid!=4294967295 -k privileged > > > > > > Is > > > > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > > > auid!=4294967295 -k privileged > > > > > > the only allowed form or are all the other possible argument > > > permutations > > > [*] also valid / supported (under assumption there isn't some option > > > missing or some new option added of course when compared to the original > > > rule)? > > > > > > Thank you && Regards, Jan. > > > -- > > > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > > [*] For example suppose five different /etc/audit/audit.rules > > > configurations would use the forms as follows below - do all of them > > > represent equivalent requirement / setting? (regardless how much it's > > > likely they would be expressed in that form of) > > > > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > auid!=4294967295 > > > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F > > > auid!=4294967295 > > > -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 > > > -k > > > privileged -a always, exit -F path/bin/ping -F auid>=500 -F > > > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F > > > perm=x > > > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F > > > perm=x -F auid>=500 .. > > - RGB > > -- > Richard Guy Briggs > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545