From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bryan Jacobs Subject: Question - Rule Syntax Date: Thu, 22 Dec 2011 16:19:34 -0500 Message-ID: <4EF39EE6.3020808@builtbygeek.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id pBMLJw5i025744 for ; Thu, 22 Dec 2011 16:19:58 -0500 Received: from vms173005pub.verizon.net (vms173005pub.verizon.net [206.46.173.5]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pBMLJvJ0020904 for ; Thu, 22 Dec 2011 16:19:58 -0500 Received: from ASGFW ([unknown] [173.79.192.195]) by vms173005.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LWM009X8J8SP3T3@vms173005.mailsrvcs.net> for linux-audit@redhat.com; Thu, 22 Dec 2011 15:19:45 -0600 (CST) Received: from homdc.e-hom.com ([192.168.1.101]:50542) by ASGFW with smtp (Exim 4.76) (envelope-from ) id 1Rdq35-0004jY-2m for linux-audit@redhat.com; Thu, 22 Dec 2011 16:19:35 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com All, New auditd list member here. I just started playing around with auditd. I was wondering if someone might be kind enough to answer a question I have. I am attempting to create a rule that will audit privileged commands for UID's greater than 500 but ignore one particular user that falls under this rule. The user I am trying to ignore is the only user that should be touching the file. Below is the rule. #### BEGIN RULE SNIP #### ## Ensure auditd Collects Information on the Use of Privileged Commands -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged #### END RULE SNIP #### Is the rule syntax above correct? If not how would I audit all users with UID above 500 but still ignore one particular user? Thank you and happy holidays, -- BKJ ---------------------------------------------------- Virus Free -- Scanned By MailSecurity ---------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the author, except where the sender specifically states them to be the views of BBG, Inc.