Re: How to make audit match only one rule?

On Monday, July 29, 2013 11:38:15 AM zhu xiuming wrote: > HI > I have two rules in my audit rules > -a always,exit -F arch=b32 -S execve -k EXEC_LOG > -w /etc/passwd -p wra -k identity > > > When I enter > cat /etc/passwd on the console > > Both rules are matched and there is redundant information in the log. How > to make sure there is only one rule matched. The problem is that two different events are actually occurring. The granularity of the Linux audit system is at the syscall level rather than a higher level such as commands. The first event you get is probably the execve for /bin/cat. Then once that program starts running, it does an open syscall of /etc/passwd. So the audit system matches twice. On any single system call, the audit system only matches the first rule it finds. It will not match twice on a single syscall. -Steve