[PATCH v1] add filesystem filter list to auditctl usage

Richard Guy Briggs rgb at redhat.com
Thu Oct 28 19:49:12 UTC 2021 

The "filesystem" filter was added 2017-10-05 with
commit 38ec69344689ac7886812890cb3e2cc97c0c112c
    ("filter: add filesystem filter with fstype")

Add the list name to the usage text.

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
 docs/audit.rules.7 | 4 ++--
 src/auditctl.c     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/audit.rules.7 b/docs/audit.rules.7
index 0325c153772d..40263ec6807d 100644
--- a/docs/audit.rules.7
+++ b/docs/audit.rules.7
@@ -43,7 +43,7 @@ rule.
 .SS System Call
 The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible.
 
-The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice.
+The Linux kernel has 5 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude and filesystem. The task list is checked only during the fork or clone syscalls. It is rarely used in practice.
 
 The exit filter is the place where all syscall and file system audit requests are evaluated.
 
@@ -71,7 +71,7 @@ option tells the kernel's rule matching engine that we want to append a rule at
 .RE
 
 The action and list are separated by a comma but no space in between. Valid lists are:
-.IR task ", " exit ", " user ", and " exclude ". Their meaning was explained earlier.
+.IR task ", " exit ", " user ", " exclude ", and " filesystem ". Their meaning was explained earlier.
 
 Next in the rule would normally be the
 .B \-S
diff --git a/src/auditctl.c b/src/auditctl.c
index 06bb747c5fd2..f9bfc2a247d2 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -110,7 +110,7 @@ static void usage(void)
      "    -C f=f                            Compare collected fields if available:\n"
      "                                      Field name, operator(=,!=), field name\n"
      "    -d <l,a>                          Delete rule from <l>ist with <a>ction\n"
-     "                                      l=task,exit,user,exclude\n"
+     "                                      l=task,exit,user,exclude,filesystem\n"
      "                                      a=never,always\n"
      "    -D                                Delete all rules and watches\n"
      "    -e [0..2]                         Set enabled flag\n"
-- 
2.27.0

More information about the Linux-audit mailing list