Auditing rules maintaining order
I saw some discussions and patches about audit rules order in this list
a few months back, and I'm having some problems maintaining the order of
a rules file after they are inputted in a RHEL 5.4 box.
My question is: Can we count on the kernel maintaining the order of
rules being entered? If so, perhaps those patches weren't included in
the RHEL5.4 kernel?
I'm attaching my audit.rules file, which renders the following rule
listing:
[root@bracer2 ~]# auditctl -l
LIST_RULES: exit,never dir=/dev/pts (0x8) perm=rw subj_type=qemu_t
LIST_RULES: exit,never dir=/var/run/libvirt/network (0x18) perm=wa subj_type=dnsmasq_t
LIST_RULES: exit,never dir=/var/log/libvirt/ (0x11) perm=wa subj_type=logrotate_t
LIST_RULES: exit,never dir=/var/cache/libvirt/ (0x13) perm=wa subj_type=initrc_t
LIST_RULES: exit,always dir=/etc/libvirt/ (0xd) perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always arch=1073741827 (0x40000003) perm=wxa subj_type=qemu_t
obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain
LIST_RULES: exit,always arch=3221225534 (0xc000003e) perm=wxa subj_type=qemu_t
obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain
LIST_RULES: exit,always dir=/var/lib/libvirt/images/ (0x18) perm=wa subj_type!=qemu_t
key=virt_image_change
LIST_RULES: exit,always obj_type=virt_image_t (0xc) perm=wa subj_type!=qemu_t
key=virt_image_change
LIST_RULES: exit,always dir=/var/run/libvirt/ (0x11) perm=wa subj_type!=virtd_t
key=virt_runtime_change
LIST_RULES: exit,always dir=/var/lib/libvirt/ (0x11) perm=wa subj_type!=virtd_t
key=virt_runtime_change
LIST_RULES: exit,always dir=/var/cache/libvirt/ (0x13) perm=wa subj_type!=qemu_t
key=virt_runtime_change
LIST_RULES: exit,always dir=/var/log/libvirt/ (0x11) perm=wa subj_type!=virtd_t
key=virt_log_change
LIST_RULES: exit,never watch=/dev/ksm perm=rw subj_type=qemu_t
LIST_RULES: exit,never watch=/dev/ptmx perm=rw subj_type=qemu_t
LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=x key=virt_qemu_exec
LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=wa key=virt_qemu_change
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/ca-cert.pem perm=wa key=virt_tls_cert
LIST_RULES: exit,never watch=/dev/kvm perm=rw subj_type=qemu_t
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-cert.pem perm=wa
key=virt_tls_cert
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-key.pem subj_type!=qemu_t
key=virt_tls_privkey syscall=all
LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=x key=virt_libvirtd_exec
LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=wa key=virt_libvirtd_change
LIST_RULES: exit,always watch=/etc/sasl2/libvirt.conf perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always watch=/etc/sysconfig/libvirtd perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always watch=/etc/pki/CA/cacert.pem perm=wa key=virt_tls_cert
LIST_RULES: exit,always watch=/etc/pki/libvirt/private/serverkey.pem subj_type!=virtd_t
key=virt_tls_privkey syscall=all
LIST_RULES: exit,always watch=/etc/pki/libvirt/servercert.pem perm=wa key=virt_tls_cert
Thanks,
-Klaus
--
Klaus Heinrich Kiwi | klausk(a)br.ibm.com
IBM LTC Security Development | http://blog.klauskiwi.com
http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog
Attachments:
- audit.rules (text/plain — 3.4 KB)