Re: Does the order / position of audit rule's arguments matter?
Thank you both for quick replies.
----- Original Message -----
From: "Steve Grubb" <sgrubb(a)redhat.com>
To: "Richard Guy Briggs" <rgb(a)redhat.com>
Cc: linux-audit(a)redhat.com, "Jan Lieskovsky" <jlieskov(a)redhat.com>,
"Shawn Wells" <shawn(a)redhat.com>
Sent: Monday, January 19, 2015 7:11:10 PM
Subject: Re: Does the order / position of audit rule's arguments matter?
On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> On 15/01/19, Steve Grubb wrote:
> > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > Hello folks,
> > >
> > > wasn't able to find answer to the following question in the
auditctl
> > >
> > > manual page, thus checking here - does the order / position in which
> > > the
> > > auditctl's | /etc/audit/audit.rules' audit rule arguments are
listed in
> > > the rule matter or all permutations of the arguments are allowed?
> >
> > Yes, its a first match wins system. I tell people to order from specific
> > to
> > general. IOW, put a watch on /etc/shadow before a watch on /etc.
>
> I don't think that answers Jan's question. I understood the question to
> be the ordering of arguments *within* a rule.
Yes, was about this case. But good to know also order of rules matters
(to list them that way).
I believe the answer is
> "no".
>
> so:
> -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
auid!=4294967295
> -k privileged would be equivalent to:
> -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F
auid>=500
> -k privileged
If that is the case, then you want to have the fields in the order in which
the
system can decide "no" as fast as possible.
Meaning the audit rule's arguments to be sorted? Or just follow the form
as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file?
(IOW action first, then path to binary, then other -F arguments - for these
to be listed in ascending alphabetical order?)
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
-Steve
> > -Steve
> >
> > > IOW suppose the following rule:
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > >
> > > auid!=4294967295 -k privileged
> > >
> > > Is
> > >
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > >
> > > auid!=4294967295 -k privileged
> > >
> > > the only allowed form or are all the other possible argument
> > > permutations
> > > [*] also valid / supported (under assumption there isn't some option
> > > missing or some new option added of course when compared to the
> > > original
> > > rule)?
> > >
> > > Thank you && Regards, Jan.
> > > --
> > > Jan iankko Lieskovsky / Red Hat Security Technologies Team
> > >
> > > [*] For example suppose five different /etc/audit/audit.rules
> > > configurations would use the forms as follows below - do all of them
> > > represent equivalent requirement / setting? (regardless how much it's
> > > likely they would be expressed in that form of)
> > >
> > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > auid!=4294967295
> > > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F
> > > auid!=4294967295
> > > -k privileged -a always,exit -F perm=x -F auid>=500 -F
auid!=4294967295
> > > -k
> > > privileged -a always, exit -F path/bin/ping -F auid>=500 -F
> > > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > perm=x
> > > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F
> > > perm=x -F auid>=500 ..
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs(a)redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545