From: Trevor Vaughan <peiriannydd@gmail.com>
To: Bryan Jacobs <bkj@builtbygeek.com>
Cc: linux-audit@redhat.com
Subject: Re: Question - Rule Syntax
Date: Thu, 29 Dec 2011 09:10:24 -0500 [thread overview]
Message-ID: <4EFC74D0.1000609@gmail.com> (raw)
In-Reply-To: <4EF39EE6.3020808@builtbygeek.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm hoping to be told otherwise, but the cleanest and most maintainable way that I've seen to do this is to make two rules.
First Rule: Ignore user 505
Second Rule: Audit everyone
Auditd should stop at the first rule matched. It does add more rules but seems to be the most stable across auditd versions.
Also, that auid!=42... should probably be near the top of your rules since it will get hit the most and I'm assuming that you don't ever want to audit
anonymous accesses to most items.
Trevor
On 12/22/2011 04:19 PM, Bryan Jacobs wrote:
> All,
>
> New auditd list member here. I just started playing around with auditd. I was wondering if someone might be kind enough to answer a question I have.
> I am attempting to create a rule that will audit privileged commands for UID's greater than 500 but ignore one particular user that falls under this
> rule. The user I am trying to ignore is the only user that should be touching the file.
>
> Below is the rule.
>
> #### BEGIN RULE SNIP ####
>
> ## Ensure auditd Collects Information on the Use of Privileged Commands
>
> -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
> auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
>
> #### END RULE SNIP ####
>
> Is the rule syntax above correct? If not how would I audit all users with UID above 500 but still ignore one particular user?
>
>
> Thank you and happy holidays,
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJO/HTQAAoJECNCGV1OLcyphzYH/3CayBkrfX8CexuW8SMgCXLs
z+3zwug1DMdz6l4mfrp60TfVGL8scteqOjgHP/1hDp+TNwP2YyXxqAeN+XOAePIU
Gekd3QrOc4bCVhBuHF4719SWkEXQ4Gur1DYLAXO/J9p23dWlT4AE+ehAXonq/F40
quGWuIHCLui8KDvwigrYMr6qZeBbu47leTFvHUakqgDCUwXibR7vXUPHYPuO0A2V
p8sHq535nGzLjB6XLk4PWhRVb/JhXBrCy9iA3ONM1ReT0JaEtB0Liukui6Wbq627
fh7/+kQFXRSB7QGHaFZr+FQp6LkwP+2iqC1JBnVc3/pm58q1DRh46e0m9jvPCDc=
=xLIO
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2011-12-29 14:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-22 21:19 Question - Rule Syntax Bryan Jacobs
2011-12-29 14:10 ` Trevor Vaughan [this message]
2011-12-30 1:32 ` Bryan Jacobs
2012-01-03 14:13 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EFC74D0.1000609@gmail.com \
--to=peiriannydd@gmail.com \
--cc=bkj@builtbygeek.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.