So, my security folks would really like to have our RHEL systems audited to hell and gone. Unfortunately, this chews up a lot of filesystem space to do so. In their first steps down this path, they'd requested that we set a watch on the entirety of /etc. Given the number of accesses to things like /etc/passwd (e.g., the VMware guest daemon reads it rather frequently), we'd tried to put an exception in place for this file. It resulted in two rules:
-w /etc/passwd -p wa -k idactions -F auid!=<TargetAUID>
I'm used to rules-processing being "first match". However, even though we have our more-explicit /etc-related rules first, it seems like the /etc/passwd rule is getting overridden by the more general /etc rule (so, our logs are filling up too quickly on our VMware-hosted systems). Does auditd use an algorithm other than "first match"? Can I get the desired effect simply by rule reordering or is it simply the case that auditd processes *all* rules, regardless of order and I'm pretty much boned if I want to have a general rule that I want to make exceptions to?