Sample Rules

Kris Wilson krisw at us.ibm.com
Thu Feb 10 23:58:05 UTC 2005 





Steve,

Here are examples of some rules we have been working with:

Adding rules:

  auditctl -a exit,never -S mount
  auditctl -a entry,always -S access -F a1=4
  auditctl -a exit,always -S ipc -F a0=2

Deleting rules:

  auditctl -d exit,never -S mount
  auditctl -d entry,always -S access -F a1=4
  auditctl -d exit,always -S ipc -F a0=2

Examples we would like to have:

  Task rules.
  Examples using more of the -F fields, including mulltiple -F fields in one rule.



Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw at us.ibm.com


                                                                           
             Steve Grubb                                                   
             <sgrubb at redhat.co                                             
             m>                                                         To 
             Sent by:                  Linux Audit Discussion              
             linux-audit-bounc         <linux-audit at redhat.com>            
             es at redhat.com                                              cc 
                                                                           
                                                                   Subject 
             02/10/2005 12:35          Sample Rules                        
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
                Linux Audit                                                
                Discussion                                                 
                                                                           
                                                                           




Hi,

I'm getting closer to releasing the next version of the audit daemon. I'm
wanting to include a file that has sample auditctl rules demonstrating how
to
do various things. I'm open to ideas. What common tasks should be included?
Note the file will be installed in the docs directory rather than being the

default ruleset.

-Steve Grubb

--
Linux-audit mailing list
Linux-audit at redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic24655.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment-0002.gif>

More information about the Linux-audit mailing list