User Add a rule to the user message filter list. This list is used upon exit from a system call to determine if an audit event should be created. Using this list, you should only use fields that are known at task creation time, such as the uid, gid, etc.Įxit Add a rule to the syscall exit list. This rule list is used only at the time a task is created - when fork() or clone() are called by the parent task. The following describes the valid list names: Please note the comma separating the two values. a Append rule to the end of list with action. t Trim the subtrees after a mount command. The backlog field tells how many event records are currently You how many event records that have been discarded due to the kernel audit queue overflowing. Note that a pid of 0 indicates that the audit daemon is not running. The pid value is the process number of the audit daemon. It will tell you the in-kernel values that can be set by -e, -f, -r, and -b s Report the kernel's audit subsystem status. Rules that are read from aįile are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file). The rule file may have comments embedded by starting the line with a '#' character. Readable by other users or it will be rejected. The rule file must be owned by root and not The rules must be 1 per line and in the order that they are to be executed in. If this rate is non-zero and is exceeded, the failure flag is consulted by the kernel for action. r rate Set limit in messages/sec ( 0=none). If the subtree is already mounted at the time the directory watch is issued, the subtree isĪutomatically tagged for watching. q mount-point,subtree If you have an existing directory watch and bind or move mount another subtree in the watched subtree, you need to tell the kernel to make the subtreeīeing mounted equivalent to the directory being watched. But rather for reads or writes, the open flags are looked at to see what permission was requested. Omitted from this set since they would overwhelm the logs. These permissions are not the standard file permissions, but rather the kind of syscall that would do this kind of thing. r=read, w=write, x=execute, a=attribute change. Theĭescribe the permission access type that a file system watch will trigger on. This can only be done if you have CAP_AUDIT_WRITE capability (normally the root user has this). m text Send a user space message into the audit system. Plugin that uses a key to aid its analysis. You may have more than one key on a rule if you want to be able to search logged events in multiple ways or if you have an audispd The key can also be used on delete all (-D) and list rules (-l) to select The key value can be searched on withĪusearch so that no matter which rule triggered the event, you can find its results. Typical use is for when you have several rules that together satisfy a security requirement. The filter key is an arbitrary string of text that can be up to 31 bytes long. k key Set a filter key on an audit rule. Valid fields are:Īuid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid -l List all rules 1 per line. Each inter-field equation is anded with each other as well as equations starting with -F to trigger an audit record. You may pass multiple comparisons on a single command line. The exit code will not be success if any rule fails to load.īuild an inter-field comparison rule: field, operation, field. This summarizes the results of loading the rules. c Continue loading rules in spite of an error. This causes auditctl to always return a success exit code. i Ignore errors when reading rules from a file. Secure environments will probably want to set this to 2. ExampleĬonditions where this flag is consulted includes: transmission errors to userspace audit daemon, backlog limit exceeded, out of kernel memory, and rate limitĮxceeded. This option lets you determine how you want the kernel to handle critical errors. Set failure flag 0=silent 1=printk 2=panic. TheĬonfiguration can only be changed by rebooting the machine. Any attempt to change the configuration in this mode will be audited and denied. Locking the configuration is intended to be the lastĬommand in les for anyone wishing this feature to be active. To lock the audit configuration so that it can't be changed, pass a 2 as the argument. When 1 is passed as an argument, it will enableĪuditing. When 0 is passed, this can be used to temporarily disable auditing. b backlog Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |