Filewatcher File Search File Search
Catalog
Content Search
» » » » » auditd_1.7.13-1+b2_amd64.deb » Content »
pkg://auditd_1.7.13-1+b2_amd64.deb:378280/usr/share/man/man8/  info  control  downloads

auditd - User space tools for security auditing…  more info»

auditctl.8.gz

AUDITCTL:(8)       System Administration Utilities      AUDITCTL:(8)



NAME
       auditctl - a utility to assist controlling the kernel's audit
       system

SYNOPSIS
       auditctl [options]

DESCRIPTION
       The auditctl program is used to  control  the  behavior,  get
       status,  and  add or delete rules into the 2.6 kernel's audit
       system.

OPTIONS
       -b backlog
              Set max number of outstanding  audit  buffers  allowed
              (Kernel Default=64) If all buffers are full, the fail‐
              ure flag is consulted by the kernel for action.

       -e [0..2]
              Set enabled flag. When 0 is passed, this can  be  used
              to  temporarily  disable auditing. When 1 is passed as
              an argument, it will  enable  auditing.  To  lock  the
              audit  configuration so that it can't be changed, pass
              a 2 as the  argument.  Locking  the  configuration  is
              intended  to  be  the  last command in audit.rules for
              anyone wishing this feature to be active. Any  attempt
              to  change  the  configuration  in  this  mode will be
              audited and denied.  The  configuration  can  only  be
              changed by rebooting the machine.

       -f [0..2]
              Set  failure  flag  0=silent  1=printk  2=panic.  This
              option lets you determine how you want the  kernel  to
              handle  critical errors. Example conditions where this
              flag is consulted  includes:  transmission  errors  to
              userspace audit daemon, backlog limit exceeded, out of
              kernel memory, and rate limit  exceeded.  The  default
              value  is 1. Secure environments will probably want to
              set this to 2.

       -h     Help

       -i     Ignore errors when reading rules from a file

       -l     List all rules 1 per line. This can take a key  option
              (-k), too.

       -k key Set  a  filter key on an audit rule. The filter key is
              an arbitrary string of text that can be up to 31 bytes
              long.  It can uniquely identify the audit records pro‐
              duced by a rule. Typical use is for when you have sev‐
              eral  rules  that together satisfy a security require‐
              ment. The key value can be searched on  with  ausearch
              so  that no matter which rule triggered the event, you
              can find its results. The key  can  also  be  used  on
              delete  all  (-D)  and list rules (-l) to select rules
              with a specific key. You may have more than one key on
              a  rule if you want to be able to search logged events
              in multiple ways or if you have an audispd plugin that
              uses a key to aid its analysis.

       -m text
              Send  a user space message into the audit system. This
              can only be done by the root user.

       -p [r|w|x|a]
              Set  permissions  filter  for  a  file  system  watch.
              r=read,  w=write, x=execute, a=attribute change. These
              permissions are not the standard file permissions, but
              rather  the kind of syscall that would do this kind of
              thing. The read & write syscalls are omitted from this
              set  since  they  would overwhelm the logs. But rather
              for reads or writes, the open flags are looked  at  to
              see what permission was requested.

       -q mount-point,subtree
              If  you  have  an existing directory watch and bind or
              move mount another subtree in the watched subtree, you
              need  to  tell  the  kernel  to make the subtree being
              mounted equivalent to the directory being watched.  If
              the  subtree is already mounted at the time the direc‐
              tory watch is issued,  the  subtree  is  automatically
              tagged  for watching. Please note the comma separating
              the two values. Omitting it will cause errors.

       -r rate
              Set limit in messages/sec (0=none). If  this  rate  is
              non-zero  and  is  exceeded,  the failure flag is con‐
              sulted by the kernel for action. The default value  is
              0.

       -R file
              Read  rules  from a file. The rules must be 1 per line
              and in the order that they are to be executed in.  The
              rule  file  must  be owned by root and not readable by
              other users or it will be rejected. The rule file  may
              have comments embedded by starting the line with a '#'
              character. Rules that are read from a file are identi‐
              cal  to  what  you would type on a command line except
              they are not preceeded by auditctl (since auditctl  is
              the one executing the file).

       -s     Report status. Note that a pid of 0 indicates that the
              audit daemon is not running.

       -t     Trim the subtrees after a mount command.

       -a list,action
              Append rule to the end of  list  with  action.  Please
              note  the comma separating the two values. Omitting it
              will cause errors. The following describes  the  valid
              list names:

              task        Add a rule to the per task list. This rule
                          list is used only at the time  a  task  is
                          created  --  when  fork()  or  clone() are
                          called by the parent task. When using this
                          list,  you should only use fields that are
                          known at task creation time, such  as  the
                          uid, gid, etc.

              entry       Add a rule to the syscall entry list. This
                          list is used upon entry to a  system  call
                          to  determine  if an audit event should be
                          created.

              exit        Add a rule to the syscall exit list.  This
                          list  is used upon exit from a system call
                          to determine if an audit event  should  be
                          created.

              user        Add  a  rule  to  the  user message filter
                          list. This list is used by the  kernel  to
                          filter  events  originating  in user space
                          before relaying them to the audit  daemon.
                          It  should  be  noted that the only fields
                          that are valid are: uid,  auid,  gid,  and
                          pid.  All  other fields will be treated as
                          non-matching.

              exclude     Add a rule to  the  event  type  exclusion
                          filter  list.  This list is used to filter
                          events that you do not want  to  see.  For
                          example, if you do not want to see any avc
                          messages, you would  using  this  list  to
                          record  that. The message type that you do
                          not wish to see is given with the  msgtype
                          field.

       The following describes the valid actions for the rule:

              never       No  audit  records will be generated. This
                          can be used to suppress event  generation.
                          In  general,  you want suppressions at the
                          top of the list  instead  of  the  bottom.
                          This  is because the event triggers on the
                          first matching rule.

              always      Allocate an audit context, always fill  it
                          in at syscall entry time, and always write
                          out a record at syscall exit time.

       -A list,action
              Add rule to the beginning list with action.

       -d list,action
              Delete rule from list with action. The rule is deleted
              only  if  it  exactly  matches  syscall name and field
              names.

       -D     Delete all rules and watches.  This  can  take  a  key
              option (-k), too.

       -S [Syscall name or number|all]
              Any syscall name or number may be used. The word 'all'
              may also be used.  If this syscall is made by  a  pro‐
              gram,  then  start an audit record. If a field rule is
              given and no syscall is specified, it will default  to
              all  syscalls.  You may also specify multiple syscalls
              in the same rule by using multiple -S options  in  the
              same  rule.  Doing so improves performance since fewer
              rules need to be evaluated. If you are  on  a  bi-arch
              system, like x86_64, you should be aware that auditctl
              simply takes the text, looks it up for the native arch
              (in  this case b64) and sends that rule to the kernel.
              If there are no additional arch  directives,  IT  WILL
              APPLY  TO  BOTH  32  &  64 BIT SYSCALLS. This can have
              undesirable effects since there is no guarantee  that,
              for  example,  the open syscall has the same number on
              both 32 and 64 bit interfaces. You may want to control
              this and write 2 rules, one with arch equal to b32 and
              one with b64 to make sure the kernel finds the  events
              that you intend.

       -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
              Build  a  rule  field: name, operation, value. You may
              have up to 64 fields passed on a single command  line.
              Each  one  must  start with -F. Each field equation is
              anded with each other  to  trigger  an  audit  record.
              There  are  8  operators supported - equal, not equal,
              less than, greater  than,  less  than  or  equal,  and
              greater  than or equal, bit mask, and bit test respec‐
              tively. Bit test will "and" the values and check  that
              they  are  equal,  bit  mask  just  "ands" the values.
              Fields that take a user ID may instead have the user's
              name;  the  program  will convert the name to user ID.
              The same is true of group names. Valid fields are:

              a0, a1, a2, a3
                          Respectively, the first 4 arguments  to  a
                          syscall.  Note  that  string arguments are
                          not supported. This is because the  kernel
                          is  passed  a pointer to the string. Trig‐
                          gering on a pointer address value  is  not
                          likely  to  work. So, when using this, you
                          should only use on numeric values. This is
                          most  likely  to be used on platforms that
                          multiplex socket or IPC operations.

              arch        The CPU architecture of the  syscall.  The
                          arch can be found doing 'uname -m'. If you
                          do not know the arch of your  machine  but
                          you  want  to use the 32 bit syscall table
                          and your machine supports 32 bit, you  can
                          also  use  b32  for  the  arch.  The  same
                          applies to the 64 bit syscall  table,  you
                          can  use  b64.  In this way, you can write
                          rules that are somewhat  arch  independent
                          because  the  family  type  will  be  auto
                          detected. However, syscalls  can  be  arch
                          specific  and what is available on x86_64,
                          may not be  available  on  ppc.  The  arch
                          directive  should preceed the -S option so
                          that auditctl knows which  internal  table
                          to use to look up the syscall numbers.

              auid        The  original  ID the user logged in with.
                          Its an abbreviation of  audit  uid.  Some‐
                          times  its referred to as loginuid. Either
                          the text or number may be used.

              devmajor    Device Major Number

              devminor    Device Minor Number

              dir         Full Path of Directory to watch. This will
                          place  a  recursive watch on the directory
                          and its whole subtree. Should only be used
                          on exit list. See "-w".

              egid        Effective Group ID

              euid        Effective User ID

              exit        Exit  value  from  a  syscall. If the exit
                          code is an errno, you  may  use  the  text
                          representation, too.

              fsgid       Filesystem Group ID

              fsuid       Filesystem User ID

              filetype    The  target  file's  type.  Can  be either
                          file, dir, socket, symlink,  char,  block,
                          or fifo.

              gid         Group ID

              inode       Inode Number

              key         This  is  another  way of setting a filter
                          key. See discussion above for -k option.

              msgtype     This is used to  match  the  message  type
                          number.  It  should  only  be  used on the
                          exclude filter list.

              obj_user    Resource's SE Linux User

              obj_role    Resource's SE Linux Role

              obj_type    Resource's SE Linux Type

              obj_lev_low Resource's SE Linux Low Level

              obj_lev_high
                          Resource's SE Linux High Level

              path        Full Path of File to watch. Should only be
                          used on exit list.

              perm        Permission filter for file operations. See
                          "-p". Should only be used  on  exit  list.
                          You  can  use  this  without  specifying a
                          syscall and the  kernel  will  select  the
                          syscalls   that  satisfy  the  permissions
                          being requested.

              pers        OS Personality Number

              pid         Process ID

              ppid        Parent's Process ID

              subj_user   Program's SE Linux User

              subj_role   Program's SE Linux Role

              subj_type   Program's SE Linux Type

              subj_sen    Program's SE Linux Sensitivity

              subj_clr    Program's SE Linux Clearance

              sgid        Saved Group ID. See getresgid(2) man page.

              success     If the exit value is >= 0 this is true/yes
                          otherwise  its  false/no.  When  writing a
                          rule, use a 1 for true/yes  and  a  0  for
                          false/no

              suid        Saved User ID. See getresuid(2) man page.

              uid         User ID

       -w path
              Insert a watch for the file system object at path. You
              cannot insert a watch to the top level directory. This
              is  prohibited  by  the kernel. Wildcards are not sup‐
              ported either and will generate  a  warning.  The  way
              that watches work is by tracking the inode internally.
              If you place a watch on a file, its the same as  using
              the  -F  path option on a syscall rule. If you place a
              watch on a directory, its the same as using the -F dir
              option  on  a  syscall  rule.  The  -w form of writing
              watches is for backwards compatibility and the syscall
              based  form  is  more  expressive. Unlike most syscall
              auditing rules,  watches  do  not  impact  performance
              based  on  the number of rules sent to the kernel. The
              only valid options when using a watch are the  -p  and
              -k.  If  you  need to anything fancy like audit a spe‐
              cific user accessing a  file,  then  use  the  syscall
              auditing  form  with  the  path or dir fields. See the
              EXAMPLES section for an example of converting one form
              to another.

       -W path
              Remove a watch for the file system object at path.

PERFORMANCE TIPS
       Syscall  rules  get  evaluated for each syscall for each pro‐
       gram. If you have 10 syscall rules,  every  program  on  your
       system  will  delay  during  a syscall while the audit system
       evaulates each one. Too many syscall rules will hurt  perfor‐
       mance. Try to combine as many as you can whenever the filter,
       action, key, and fields are identical. For example:

       auditctl -a exit,always -S open -F success=0
       auditctl -a exit,always -S truncate -F success=0

       could be re-written as one rule:

       auditctl -a exit,always -S open -S truncate -F success=0

       Also, try to use file  system  auditing  wherever  practical.
       This  improves  performance. For example, if you were wanting
       to capture all failed opens & truncates like above, but  were
       only concerned about files in /etc and didn't care about /usr
       or /sbin, its possible to use this rule:

       auditctl -a exit,always -S open -S truncate -F dir=/etc -F success=0

       This will be higher performance since  the  kernel  will  not
       evaluate it each and every syscall. It will be handled by the
       filesystem auditing  code  and  only  checked  on  filesystem
       related syscalls.

EXAMPLES
       To see all syscalls made by a specific program:

       auditctl -a entry,always -S all -F pid=1005

       To see files opened by a specific user:

       auditctl -a exit,always -S open -F auid=510

       To see unsuccessful open call's:

       auditctl -a exit,always -S open -F success=0

       To watch a file for changes (2 ways to express):

       auditctl -w /etc/shadow -p wa
       auditctl -a exit,always -F path=/etc/shadow -F perm=wa

       To  recursively  watch  a  directory  for  changes (2 ways to
       express):

       auditctl -w /etc/ -p wa
       auditctl -a exit,always -F dir=/etc/ -F perm=wa


FILES
       /etc/audit/audit.rules


SEE ALSO
       auditd(8).


AUTHOR
       Steve Grubb



Red Hat                       Nov 2008                  AUDITCTL:(8)
Results 1 - 1 of 1
Help - FTP Sites List - Software Dir.
Search over 15 billion files
© 1997-2017 FileWatcher.com