<html><body> <p>Steve,<br> <br> Here are examples of some rules we have been working with:<br> <br> Adding rules:<br> <br> auditctl -a exit,never -S mount<br> auditctl -a entry,always -S access -F a1=4<br> auditctl -a exit,always -S ipc -F a0=2<br> <br> Deleting rules:<br> <br> auditctl -d exit,never -S mount<br> auditctl -d entry,always -S access -F a1=4<br> auditctl -d exit,always -S ipc -F a0=2<br> <br> Examples we would like to have:<br> <br> Task rules.<br> Examples using more of the -F fields, including mulltiple -F fields in one rule.<br> <br> <br> <br> Kris Wilson<br> Linux Security<br> (512) 838-0126 T/L:678-0126<br> krisw@us.ibm.com<br> <img src="cid:10__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" width="16" height="16" alt="Inactive hide details for Steve Grubb <sgrubb@redhat.com>">Steve Grubb <sgrubb@redhat.com><br> <br> <br> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr valign="top"><td style="background-image:url(cid:20__=08BBE537DF1121B68f9e8a93df938@us.ibm.com); background-repeat: no-repeat; " width="40%"> <ul> <ul> <ul> <ul><b><font size="2">Steve Grubb <sgrubb@redhat.com></font></b><font size="2"> </font><br> <font size="2">Sent by: linux-audit-bounces@redhat.com</font> <p><font size="2">02/10/2005 12:35 PM</font> <table border="1"> <tr valign="top"><td width="168" bgcolor="#FFFFFF"><div align="center"><font size="2">Please respond to<br> Linux Audit Discussion</font></div></td></tr> </table> </ul> </ul> </ul> </ul> </td><td width="60%"> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr valign="top"><td width="1%" valign="middle"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="58" alt=""><br> <div align="right"><font size="2">To</font></div></td><td width="100%"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="1" alt=""><br> <font size="2">Linux Audit Discussion <linux-audit@redhat.com></font></td></tr> <tr valign="top"><td width="1%" valign="middle"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="58" alt=""><br> <div align="right"><font size="2">cc</font></div></td><td width="100%"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="1" alt=""><br> </td></tr> <tr valign="top"><td width="1%" valign="middle"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="58" alt=""><br> <div align="right"><font size="2">Subject</font></div></td><td width="100%"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="1" alt=""><br> <font size="2">Sample Rules</font></td></tr> </table> <table border="0" cellspacing="0" cellpadding="0"> <tr valign="top"><td width="58"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="1" alt=""></td><td width="336"><img src="cid:30__=08BBE537DF1121B68f9e8a93df938@us.ibm.com" border="0" height="1" width="1" alt=""></td></tr> </table> </td></tr> </table> <br> <tt>Hi,<br> <br> I'm getting closer to releasing the next version of the audit daemon. I'm <br> wanting to include a file that has sample auditctl rules demonstrating how to <br> do various things. I'm open to ideas. What common tasks should be included?<br> Note the file will be installed in the docs directory rather than being the <br> default ruleset.<br> <br> -Steve Grubb<br> <br> --<br> Linux-audit mailing list<br> Linux-audit@redhat.com<br> </tt><tt><a href="http://www.redhat.com/mailman/listinfo/linux-audit">http://www.redhat.com/mailman/listinfo/linux-audit</a></tt><tt><br> </tt><br> </body></html>