auditctl usage for filter lists: "user" , "watch" and "exclude"
Steve Grubb
sgrubb at redhat.com
Thu May 18 15:50:56 UTC 2006
On Thursday 18 May 2006 10:47, Michael C Thompson wrote:
> but I have very little idea f how user is meant to be used, and none about
> watch.
First, watch doesn't exist. I deleted it from the man pages yesterday.
User is used to filter userspace originating audit messages. For example, you
can use passwd and a message can be generated saying that a users password
has been changed. You can filter those events so that they do not hit the
audit logs.
auditctl -a user,always -F uid=500
> For the exclude list,
>
> exclude,always -F msgtype=SYSCALL
>
> seems to be the only valid structure, where msgtype can be any value
> (XXX) for the type in the audit.log? (where the 1st field in the audit
> log is type=XXX)
Yes. But note that you can also do things like this:
-a exclude,always -F 'msgtype>=DAEMON_START' -F 'msgtype<=DAEMON_ROTATE'
to take out a whole range of message types.
> Are there more filters that apply? (and does it have any meaning without
> a filter?)
No
-Steve
More information about the Linux-audit
mailing list