On Wednesday, August 21, 2013 12:35:01 PM zhu xiuming wrote:
> I am little confused by the relationship between audit rules.
>
> I want to log all other users command history and read/write passwd except
> me (auid 16382)
>
> However, it seems I have to add -F auid!=16382 on  both rules.
>
> -a always,exit -F arch=b32 -S execve  -k EXEC_log
>  -w /etc/passwd           -p wr  -k identity_write
>
> I tried to add following rules "before" the two rules above.
> -a never,exit -F auid=16382
>
> However, it does not work at all.
>
> So, the rules in audit rules seem independent from each other.  Am I right?

For each filter, the first match wins. So, you have to organize the rules from
specific to general in case there's a possibility of triggering two or more
rules.

You could do this:

-a always,exit -F path=/etc/passwd -F perm=wr -F auid!=16382 -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F auid!=16382 -F key=EXEC_log

or

-a never,exit -F arch=b32 -S all -F auid=16382
-a always,exit -F path=/etc/passwd -F perm=wr -F key=pwd_log
-a always,exit -F arch=b32 -S execve -F key=EXEC_log

They should be equivalent. Also, the only time you need b32 is when you have
an x86_64 system.  In that case you need another set of rules with b64 since
64 bit systems normally have both 32 and 64 bit interfaces. If you have true
32 bit system just delete the field.

-Steve