From: Bryan Jacobs <bkj@builtbygeek.com>
To: linux-audit@redhat.com
Subject: Question - Rule Syntax
Date: Thu, 22 Dec 2011 16:19:34 -0500 [thread overview]
Message-ID: <4EF39EE6.3020808@builtbygeek.com> (raw)
All,
New auditd list member here. I just started playing around with auditd.
I was wondering if someone might be kind enough to answer a question I
have. I am attempting to create a rule that will audit privileged
commands for UID's greater than 500 but ignore one particular user that
falls under this rule. The user I am trying to ignore is the only user
that should be touching the file.
Below is the rule.
#### BEGIN RULE SNIP ####
## Ensure auditd Collects Information on the Use of Privileged Commands
-a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
#### END RULE SNIP ####
Is the rule syntax above correct? If not how would I audit all users
with UID above 500 but still ignore one particular user?
Thank you and happy holidays,
--
BKJ
----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the author, except where the sender specifically states them to be the views of BBG, Inc.
next reply other threads:[~2011-12-22 21:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-22 21:19 Bryan Jacobs [this message]
2011-12-29 14:10 ` Question - Rule Syntax Trevor Vaughan
2011-12-30 1:32 ` Bryan Jacobs
2012-01-03 14:13 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EF39EE6.3020808@builtbygeek.com \
--to=bkj@builtbygeek.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox