The problem is that two different events are actually occurring. TheOn Monday, July 29, 2013 11:38:15 AM zhu xiuming wrote:
> HI
> I have two rules in my audit rules
> -a always,exit -F arch=b32 -S execve -k EXEC_LOG
> -w /etc/passwd -p wra -k identity
>
>
> When I enter
> cat /etc/passwd on the console
>
> Both rules are matched and there is redundant information in the log. How
> to make sure there is only one rule matched.
granularity of the Linux audit system is at the syscall level rather than a
higher level such as commands. The first event you get is probably the execve
for /bin/cat. Then once that program starts running, it does an open syscall
of /etc/passwd. So the audit system matches twice.
On any single system call, the audit system only matches the first rule it
finds. It will not match twice on a single syscall.
-Steve