Re: The relationship between audit rules

Got it Thanks a lot On Wed, Aug 21, 2013 at 1:00 PM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote: > > I am little confused by the relationship between audit rules. > > > > I want to log all other users command history and read/write passwd > except > > me (auid 16382) > > > > However, it seems I have to add -F auid!=16382 on both rules. > > > > -a always,exit -F arch=b32 -S execve -k EXEC_log > > -w /etc/passwd -p wr -k identity_write > > > > I tried to add following rules "before" the two rules above. > > -a never,exit -F auid=16382 > > > > However, it does not work at all. > > > > So, the rules in audit rules seem independent from each other. Am I > right? > > For each filter, the first match wins. So, you have to organize the rules > from > specific to general in case there's a possibility of triggering two or > more > rules. > > You could do this: > > -a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F > key=pwd_log > -a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log > > or > > -a never,exit -F arch=b32 -S all -F auid=16382 > -a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log > -a always,exit -F arch=b32 -S execve -F key=EXEC_log > > They should be equivalent. Also, the only time you need b32 is when you > have > an x86_64 system. In that case you need another set of rules with b64 > since > 64 bit systems normally have both 32 and 64 bit interfaces. If you have > true > 32 bit system just delete the field. > > -Steve >