Why is auditctl -l output not as expected?

Question

I have an /etc/audit/rules.d/audit.rules file with the following:

-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 ...etc...
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 ...etc...

After augenrules, the same is in the /etc/audit/audit.rules file.

However, auditctl -l displays the lines as:

-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 ...etc...
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 ...etc...

No matter what I do to refresh the auditd service and its configs, auditctl -l does not match what is in the rules files. Why is this and is there something to remedy this?

Answer 1

The order does not matter, because each system call in the rule is matched independently. In practice, what you should care about is:

• It is more efficient to list them all on a single rule.
• As the system calls are matched by ID rather than the human readable name, you need separate rules per architecture.

The ordering seems quite interesting indeed, as they are neither in the configured order nor ordered by the ID on the given architecture. The internal behavior of auditd in listing rules (auditctl -l) could involve grouping syscalls, optimization in rule processing, or an internal indexing system that causes syscalls to appear in a different order. You should not worry about any of this as the outcome remains the same.