LinuxGuruz
Toll Free Numbers
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads
  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    auditctl

    
    
    

    SYNOPSIS

           auditctl [options]
    
    
    

    DESCRIPTION

           The  auditctl  program is used to control the behavior, get status, and
           add or delete rules into the 2.6 kernel's audit system.
    
    
    

    OPTIONS

           -b backlog
                  Set max number of  outstanding  audit  buffers  allowed  (Kernel
                  Default=64)  If  all  buffers are full, the failure flag is con-
                  sulted by the kernel for action.
    
           -e [0..2]
                  Set enabled flag. When 0 is passed, this can  be  used  to  tem-
                  porarily  disable  auditing. When 1 is passed as an argument, it
                  will enable auditing. To lock the audit configuration so that it
                  can't be changed, pass a 2 as the argument. Locking the configu-
                  ration is intended to be the last  command  in  audit.rules  for
                  anyone  wishing this feature to be active. Any attempt to change
                  the configuration in this mode will be audited and  denied.  The
                  configuration can only be changed by rebooting the machine.
    
           -f [0..2]
                  Set failure flag 0=silent 1=printk 2=panic. This option lets you
                  determine how you want the kernel  to  handle  critical  errors.
                  Example conditions where this flag is consulted includes: trans-
                  mission  errors  to  userspace  audit  daemon,   backlog   limit
                  exceeded,  out  of  kernel  memory, and rate limit exceeded. The
                  default value is 1. Secure environments will  probably  want  to
                  set this to 2.
    
           -h     Help
    
           -i     Ignore errors when reading rules from a file
    
           -l     List all rules 1 per line. This can take a key option (-k), too.
    
           -k key Set a filter key on an audit rule. The filter key  is  an  arbi-
                  trary  string  of  text  that can be up to 31 bytes long. It can
                  uniquely identify the audit records produced by a rule.  Typical
                  use  is  for when you have several rules that together satisfy a
                  security requirement. The key value  can  be  searched  on  with
                  ausearch  so  that no matter which rule triggered the event, you
                  can find its results. The key can also be  used  on  delete  all
                  (-D)  and  list  rules (-l) to select rules with a specific key.
                  You may have more than one key on a rule if you want to be  able
                  to  search logged events in multiple ways or if you have an aud-
                  ispd plugin that uses a key to aid its analysis.
    
           -m text
                  Send a user space message into the audit system. This  can  only
                  kernel  to  make  the  subtree  being  mounted equivalent to the
                  directory being watched. If the subtree is  already  mounted  at
                  the time the directory watch is issued, the subtree is automati-
                  cally tagged for watching. Please note the comma separating  the
                  two values. Omitting it will cause errors.
    
           -r rate
                  Set limit in messages/sec (0=none). If this rate is non-zero and
                  is exceeded, the failure flag is consulted  by  the  kernel  for
                  action. The default value is 0.
    
           -R file
                  Read  rules from a file. The rules must be 1 per line and in the
                  order that they are to be executed in. The  rule  file  must  be
                  owned  by  root  and  not  readable by other users or it will be
                  rejected. The rule file may have comments embedded  by  starting
                  the  line  with a '#' character. Rules that are read from a file
                  are identical to what you would type on a  command  line  except
                  they  are  not  preceded  by auditctl (since auditctl is the one
                  executing the file).
    
           -s     Report status. Note that a pid of 0  indicates  that  the  audit
                  daemon is not running.
    
           -t     Trim the subtrees after a mount command.
    
           -a list,action
                  Append  rule  to  the  end  of list with action. Please note the
                  comma separating the two values. Omitting it will cause  errors.
                  The following describes the valid list names:
    
                  task        Add  a  rule to the per task list. This rule list is
                              used only at the time a  task  is  created  --  when
                              fork()  or  clone()  are  called by the parent task.
                              When using this list, you  should  only  use  fields
                              that  are  known  at task creation time, such as the
                              uid, gid, etc.
    
                  entry       Add a rule to the syscall entry list. This  list  is
                              used  upon entry to a system call to determine if an
                              audit event should be created.
    
                  exit        Add a rule to the syscall exit list.  This  list  is
                              used upon exit from a system call to determine if an
                              audit event should be created.
    
                  user        Add a rule to the user  message  filter  list.  This
                              list  is  used by the kernel to filter events origi-
                              nating in user space before  relaying  them  to  the
                              audit  daemon.  It  should  be  noted  that the only
                              fields that are valid are: uid, auid, gid, and  pid.
                              All other fields will be treated as non-matching.
                              first matching rule.
    
                  always      Allocate an audit context,  always  fill  it  in  at
                              syscall entry time, and always write out a record at
                              syscall exit time.
    
           -A list,action
                  Add rule to the beginning list with action.
    
           -d list,action
                  Delete rule from list with action. The rule is deleted  only  if
                  it exactly matches syscall name and field names.
    
           -D     Delete  all  rules and watches. This can take a key option (-k),
                  too.
    
           -S [Syscall name or number|all]
                  Any syscall name or number may be used. The word 'all' may  also
                  be  used.   If  this syscall is made by a program, then start an
                  audit record. If a field rule is given and no syscall is  speci-
                  fied, it will default to all syscalls. You may also specify mul-
                  tiple syscalls in the same rule by using multiple -S options  in
                  the  same  rule. Doing so improves performance since fewer rules
                  need to be evaluated. If you  are  on  a  bi-arch  system,  like
                  x86_64, you should be aware that auditctl simply takes the text,
                  looks it up for the native arch (in this  case  b64)  and  sends
                  that  rule to the kernel. If there are no additional arch direc-
                  tives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have
                  undesirable  effects since there is no guarantee that, for exam-
                  ple, the open syscall has the same number on both 32 and 64  bit
                  interfaces.  You may want to control this and write 2 rules, one
                  with arch equal to b32 and one with b64 to make sure the  kernel
                  finds the events that you intend.
    
           -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
                  Build  a  rule field: name, operation, value. You may have up to
                  64 fields passed on a single command line. Each one  must  start
                  with -F. Each field equation is anded with each other to trigger
                  an audit record. There are 8 operators supported  -  equal,  not
                  equal,  less than, greater than, less than or equal, and greater
                  than or equal, bit mask, and bit  test  respectively.  Bit  test
                  will  "and"  the  values and check that they are equal, bit mask
                  just "ands" the values. Fields that take a user ID  may  instead
                  have  the user's name; the program will convert the name to user
                  ID. The same is true of group names. Valid fields are:
    
                  a0, a1, a2, a3
                              Respectively, the first 4 arguments  to  a  syscall.
                              Note  that  string arguments are not supported. This
                              is because the kernel is passed  a  pointer  to  the
                              string. Triggering on a pointer address value is not
                              likely to work. So, when using this, you should only
                              ppc. The arch directive should preceed the -S option
                              so that auditctl knows which internal table  to  use
                              to look up the syscall numbers.
    
                  auid        The  original  ID  the  user  logged in with. Its an
                              abbreviation of audit uid. Sometimes its referred to
                              as  loginuid. Either the text or number may be used.
    
                  devmajor    Device Major Number
    
                  devminor    Device Minor Number
    
                  dir         Full Path of Directory to watch. This will  place  a
                              recursive  watch on the directory and its whole sub-
                              tree. Should only be used on exit list. See "-w".
    
                  egid        Effective Group ID
    
                  euid        Effective User ID
    
                  exit        Exit value from a syscall. If the exit  code  is  an
                              errno, you may use the text representation, too.
    
                  fsgid       Filesystem Group ID
    
                  fsuid       Filesystem User ID
    
                  filetype    The  target  file's  type.  Can be either file, dir,
                              socket, symlink, char, block, or fifo.
    
                  gid         Group ID
    
                  inode       Inode Number
    
                  key         This is another way of setting  a  filter  key.  See
                              discussion above for -k option.
    
                  msgtype     This  is  used  to match the message type number. It
                              should only be used on the exclude filter list.
    
                  obj_user    Resource's SE Linux User
    
                  obj_role    Resource's SE Linux Role
    
                  obj_type    Resource's SE Linux Type
    
                  obj_lev_low Resource's SE Linux Low Level
    
                  obj_lev_high
                              Resource's SE Linux High Level
    
                  path        Full Path of File to watch. Should only be  used  on
                  subj_user   Program's SE Linux User
    
                  subj_role   Program's SE Linux Role
    
                  subj_type   Program's SE Linux Type
    
                  subj_sen    Program's SE Linux Sensitivity
    
                  subj_clr    Program's SE Linux Clearance
    
                  sgid        Saved Group ID. See getresgid(2) man page.
    
                  success     If the exit value is >= 0 this is true/yes otherwise
                              its false/no. When writing  a  rule,  use  a  1  for
                              true/yes and a 0 for false/no
    
                  suid        Saved User ID. See getresuid(2) man page.
    
                  uid         User ID
    
           -w path
                  Insert  a  watch  for the file system object at path. You cannot
                  insert a watch to the top level directory. This is prohibited by
                  the kernel. Wildcards are not supported either and will generate
                  a warning. The way that watches work is by  tracking  the  inode
                  internally.  If  you  place  a  watch on a file, its the same as
                  using the -F path option on a syscall rule. If you place a watch
                  on  a  directory,  its  the same as using the -F dir option on a
                  syscall rule. The -w form of writing watches  is  for  backwards
                  compatibility  and  the  syscall  based form is more expressive.
                  Unlike most syscall auditing rules, watches do not  impact  per-
                  formance  based  on  the number of rules sent to the kernel. The
                  only valid options when using a watch are the -p and -k. If  you
                  need  to  anything  fancy like audit a specific user accessing a
                  file, then use the syscall auditing form with the  path  or  dir
                  fields.  See  the  EXAMPLES section for an example of converting
                  one form to another.
    
           -W path
                  Remove a watch for the file system object at path.
    
    
    

    PERFORMANCE TIPS

           Syscall rules get evaluated for each syscall for each program.  If  you
           have 10 syscall rules, every program on your system will delay during a
           syscall while the audit system evaulates each  one.  Too  many  syscall
           rules will hurt performance. Try to combine as many as you can whenever
           the filter, action, key, and fields are identical. For example:
    
           auditctl -a exit,always -S open -F success=0
           auditctl -a exit,always -S truncate -F success=0
    
           could be re-written as one rule:
    
    
    

    EXAMPLES

           To see all syscalls made by a specific program:
    
           auditctl -a entry,always -S all -F pid=1005
    
           To see files opened by a specific user:
    
           auditctl -a exit,always -S open -F auid=510
    
           To see unsuccessful open call's:
    
           auditctl -a exit,always -S open -F success=0
    
           To watch a file for changes (2 ways to express):
    
           auditctl -w /etc/shadow -p wa
           auditctl -a exit,always -F path=/etc/shadow -F perm=wa
    
           To recursively watch a directory for changes (2 ways to express):
    
           auditctl -w /etc/ -p wa
           auditctl -a exit,always -F dir=/etc/ -F perm=wa
    
    
    

    FILES

           /etc/audit/audit.rules
    
    
    

    SEE ALSO

           audit.rules(7), auditd(8).
    
    
    

    AUTHOR

           Steve Grubb
    
    
    

    Red Hat Nov 2008 AUDITCTL:(8)

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

Toll Free Numbers

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz