Hello,
I would like some of
my audit rules to apply when auid >= 500
For example consider
this use case:
[root@localhost audit]# auditctl -v
auditctl version
1.3.1
[root@localhost audit]# cat /etc/audit/audit.rules
#
This file contains the auditctl rules that are loaded
# whenever the audit
daemon is started via the initscripts.
# The rules are simply the parameters
that would be passed
# to auditctl.
# First rule
- delete all
-D
# Increase
the buffers to survive stress events.
# Make this bigger for busy
systems
-b 256
# Feel free
to add below this line. See auditctl man page
-a
exit,always -S socketcall -F a0=4 -F auid>=500 -k
eq_greater_than_test
[root@localhost audit]# /etc/init.d/auditd
restart
Stopping
auditd:
[ OK ]
Starting
auditd:
[ OK ]
[root@localhost audit]# auditctl -l
LIST_RULES:
exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test
syscall=socketcall
In
"/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows
that the rule matches "auid=500".
What is the syntax
for creating a rule that applies when auid>=500 ?
Med venlig hilsen /
kind regards
Søren
Olesen
Systems
Engineer
Systematic Software
Engineering A/S
Søren Frichs Vej 39, DK-8000 Aarhus C
Tel.: +45 8943
2055
Fax: +45 8943 2020
Web: www.systematic.dk