Hello, I would like some of my audit rules to apply when auid >= 500 For example consider this use case: [EMAIL PROTECTED] audit]# auditctl -v auditctl version 1.3.1 [EMAIL PROTECTED] audit]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 256 # Feel free to add below this line. See auditctl man page -a exit,always -S socketcall -F a0=4 -F auid>=500 -k eq_greater_than_test [EMAIL PROTECTED] audit]# /etc/init.d/auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ]
[EMAIL PROTECTED] audit]# auditctl -l LIST_RULES: exit,always a0=4 (0x4) auid=500 (0x1f4) key=eq_greater_than_test syscall=socketcall In "/etc/audit/audit.rules" I specify that "auid>=500" but "auditctl -l" shows that the rule matches "auid=500". What is the syntax for creating a rule that applies when auid>=500 ? Med venlig hilsen / kind regards Søren Olesen Systems Engineer Systematic Software Engineering A/S Søren Frichs Vej 39, DK-8000 Aarhus C Tel.: +45 8943 2055 Fax: +45 8943 2020 Web: www.systematic.dk <blocked::http://www.systematic.dk/>
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
