Thank you both for quick replies. ----- Original Message ----- > From: "Steve Grubb" <sgr...@redhat.com> > To: "Richard Guy Briggs" <r...@redhat.com> > Cc: linux-audit@redhat.com, "Jan Lieskovsky" <jlies...@redhat.com>, "Shawn > Wells" <sh...@redhat.com> > Sent: Monday, January 19, 2015 7:11:10 PM > Subject: Re: Does the order / position of audit rule's arguments matter? > > On Monday, January 19, 2015 01:06:42 PM Richard Guy Briggs wrote: > > On 15/01/19, Steve Grubb wrote: > > > On Monday, January 19, 2015 12:57:11 PM Jan Lieskovsky wrote: > > > > Hello folks, > > > > > > > > wasn't able to find answer to the following question in the auditctl > > > > > > > > manual page, thus checking here - does the order / position in which > > > > the > > > > auditctl's | /etc/audit/audit.rules' audit rule arguments are listed in > > > > the rule matter or all permutations of the arguments are allowed? > > > > > > Yes, its a first match wins system. I tell people to order from specific > > > to > > > general. IOW, put a watch on /etc/shadow before a watch on /etc. > > > > I don't think that answers Jan's question. I understood the question to > > be the ordering of arguments *within* a rule.
Yes, was about this case. But good to know also order of rules matters (to list them that way). > I believe the answer is > > "no". > > > > so: > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > auid!=4294967295 > > -k privileged would be equivalent to: > > -a always,exit -F path=/bin/ping -F perm=x -F auid!=4294967295 -F > auid>=500 > > -k privileged > > If that is the case, then you want to have the fields in the order in which > the > system can decide "no" as fast as possible. Meaning the audit rule's arguments to be sorted? Or just follow the form as it's listed for example in /usr/share/doc/audit-2.3.7/stig.rules file? (IOW action first, then path to binary, then other -F arguments - for these to be listed in ascending alphabetical order?) Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > -Steve > > > > > -Steve > > > > > > > IOW suppose the following rule: > > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > > > > > auid!=4294967295 -k privileged > > > > > > > > Is > > > > > > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > > > > > auid!=4294967295 -k privileged > > > > > > > > the only allowed form or are all the other possible argument > > > > permutations > > > > [*] also valid / supported (under assumption there isn't some option > > > > missing or some new option added of course when compared to the > > > > original > > > > rule)? > > > > > > > > Thank you && Regards, Jan. > > > > -- > > > > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > > > > [*] For example suppose five different /etc/audit/audit.rules > > > > configurations would use the forms as follows below - do all of them > > > > represent equivalent requirement / setting? (regardless how much it's > > > > likely they would be expressed in that form of) > > > > > > > > -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > auid!=4294967295 > > > > -k privileged -F path=/bin/ping -F perm=x -F auid>=500 -F > > > > auid!=4294967295 > > > > -k privileged -a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 > > > > -k > > > > privileged -a always, exit -F path/bin/ping -F auid>=500 -F > > > > auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F > > > > perm=x > > > > -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/ping -F > > > > perm=x -F auid>=500 .. > > > > - RGB > > > > -- > > Richard Guy Briggs <rbri...@redhat.com> > > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > > Red Hat Remote, Ottawa, Canada > > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 > > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
