Hi,
I added the following rules:
# ./sbin/auditctl -a exit,never -F path=/usr/bin/vim -F perm=x -F uid=0
# ./sbin/auditctl -a exit,always -F uid=0 -F success=1 -S execve -S open
-k root_exec
# ./sbin/auditctl -l
LIST_RULES: exit,always uid=0 success=1 (0x1) key=root_exec
syscall=open,execve
LIST_RULES: exit,never watch=/usr/bin/vim perm=x uid=0
As you can see rule with 'never' action is first introduced but in exit
table they are in reverse order. No matter in what order the rules are
inserted form command line in the exit table rules with 'never' action
are appended to the end of list making no effects.
--
Loredan Stancu | system administrator | admin(a)myclar.ro
MyClar Connection |
http://www.myclar.ro | loredan.stancu(a)myclar.ro