Sample Rules
Kris Wilson
krisw at us.ibm.com
Thu Feb 10 23:58:05 UTC 2005
Steve,
Here are examples of some rules we have been working with:
Adding rules:
auditctl -a exit,never -S mount
auditctl -a entry,always -S access -F a1=4
auditctl -a exit,always -S ipc -F a0=2
Deleting rules:
auditctl -d exit,never -S mount
auditctl -d entry,always -S access -F a1=4
auditctl -d exit,always -S ipc -F a0=2
Examples we would like to have:
Task rules.
Examples using more of the -F fields, including mulltiple -F fields in one rule.
Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw at us.ibm.com
Steve Grubb
<sgrubb at redhat.co
m> To
Sent by: Linux Audit Discussion
linux-audit-bounc <linux-audit at redhat.com>
es at redhat.com cc
Subject
02/10/2005 12:35 Sample Rules
PM
Please respond to
Linux Audit
Discussion
Hi,
I'm getting closer to releasing the next version of the audit daemon. I'm
wanting to include a file that has sample auditctl rules demonstrating how
to
do various things. I'm open to ideas. What common tasks should be included?
Note the file will be installed in the docs directory rather than being the
default ruleset.
-Steve Grubb
--
Linux-audit mailing list
Linux-audit at redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic24655.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050210/c7ff6be5/attachment-0002.gif>
More information about the Linux-audit
mailing list