The relationship between audit rules
I am little confused by the relationship between audit rules.
I want to log all other users command history and read/write passwd except
me (auid 16382)
However, it seems I have to add -F auid!=16382 on both rules.
-a always,exit -F arch=b32 -S execve -k EXEC_log
-w /etc/passwd -p wr -k identity_write
I tried to add following rules "before" the two rules above.
-a never,exit -F auid=16382
However, it does not work at all.
So, the rules in audit rules seem independent from each other. Am I right?
Attachments:
- attachment.html (text/html — 707 bytes)