Re: Does the order / position of audit rule's arguments matter?
On Monday, January 19, 2015 01:19:16 PM Jan Lieskovsky wrote:
Thank you both for quick replies.
----- Original Message -----
> From: "Steve Grubb" <sgrubb(a)redhat.com>
> To: "Richard Guy Briggs" <rgb(a)redhat.com>
> Cc: linux-audit(a)redhat.com, "Jan Lieskovsky" <jlieskov(a)redhat.com>,
"Shawn
> Wells" <shawn(a)redhat.com> Sent: Monday, January 19, 2015 7:11:10 PM
> Subject: Re: Does the order / position of audit rule's arguments matter?
>
> On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote:
> > On 15/01/19, Steve Grubb wrote:
> > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote:
> > > > Hello folks,
> > > >
> > > > wasn't able to find answer to the following question in the
> > > > auditctl
> > > >
> > > > manual page, thus checking here - does the order / position in which
> > > > the
> > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are
listed
> > > > in
> > > > the rule matter or all permutations of the arguments are allowed?
> > >
> > > Yes, its a first match wins system. I tell people to order from
> > > specific
> > > to
> > > general. IOW, put a watch on /etc/shadow before a watch on /etc.
> >
> > I don't think that answers Jan's question. I understood the question
to
> > be the ordering of arguments *within* a rule.
Yes, was about this case. But good to know also order of rules matters
(to list them that way).
> I believe the answer is
>
> > "no".
> >
> > so:
> > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
>
> auid!=4294967295
>
> > -k privileged would be equivalent to:
> > -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F
>
> auid>=500
>
> > -k privileged
>
> If that is the case, then you want to have the fields in the order in
> which
> the
> system can decide "no" as fast as possible.
Meaning the audit rule's arguments to be sorted? Or just follow the form
as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file?
(IOW action first, then path to binary, then other -F arguments - for these
to be listed in ascending alphabetical order?)
Yes, the audit system is like
for each rule
if (syscall & mask)
for each field
if fval != rval
next rule
endif
done
record event
endif
done
So, by deciding "no" quickly, it can move on to the next rule to iterate over
the fields.
The stig.rules is ordered correctly and is intended that anyone that needs to
STIG a box simply copies the file "as is" to the rules.d directory. Any
problems between what the file has and what's needed should be reported here so
the file can be corrected.
-Steve