Re: Does the order / position of audit rule's arguments matter?

Hello folks, wasn't able to find answer to the following question in the auditctl manual page, thus checking here - does the order / position in which the auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in the rule matter or all permutations of the arguments are allowed?

IOW suppose the following rule: -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged Is -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged the only allowed form or are all the other possible argument permutations [*] also valid / supported (under assumption there isn't some option missing or some new option added of course when compared to the original rule)? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team [*] For example suppose five different /etc/audit/audit.rules configurations would use the forms as follows below - do all of them represent equivalent requirement / setting? (regardless how much it's likely they would be expressed in that form of) -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always, exit -F path/bin/ping -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 .. -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit