auditctl usage for filter lists: "user" , "watch" and "exclude"
Michael C Thompson
thompsmc at us.ibm.com
Thu May 18 15:41:51 UTC 2006
Michael C Thompson wrote:
> Michael C Thompson wrote:
>> Hey all,
>>
>> I'm trying to understand better the user, watch and exclude auditctl
>> filter lists. I believe I have a reasonable understanding of exclude
>> from some examples Steve gave (see below), but I have very little idea
>> of how user is meant to be used, and none about watch.
>>
>> Any enlightenment will be helpful.
>>
>> For the exclude list,
>>
>> exclude,always -F msgtype=SYSCALL
>>
>> seems to be the only valid structure, where msgtype can be any value
>> (XXX) for the type in the audit.log? (where the 1st field in the audit
>> log is type=XXX)
>>
>> Are there more filters that apply? (and does it have any meaning
>> without a filter?)
>
> Question, is it intended for:
> auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
> and
> auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
>
> (being active at different times) to both block the CONFIG_CHANGE
> messages? I would assume that exclude,never to _not_ block messages of
> that type?
It also seems to be that:
auditctl -a exclude,always -F msgtype=CWD
auditctl -a exclude,always -F msgtype=PATH
and
auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
do not work in the same way, in fact, "auditctl -a exclude,always -F
msgtype=CWD -F msgtype=PATH" does not remove either the CWD or the PATH
type from the message. Can the exclude list have only 1 msgtype per rule?
Mike
More information about the Linux-audit
mailing list