Difference between revisions of "Auditctl"
Jump to navigation
Jump to search
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{lc}} | {{lc}} | ||
| + | |||
| + | [[auditctl -s]] | ||
| + | |||
| + | auditctl -l | ||
| + | No rules | ||
| + | |||
auditctl -A exit,always -S connect | auditctl -A exit,always -S connect | ||
| + | |||
| + | <pre> | ||
| + | auditctl --help | ||
| + | usage: auditctl [options] | ||
| + | -a <l,a> Append rule to end of <l>ist with <a>ction | ||
| + | -A <l,a> Add rule at beginning of <l>ist with <a>ction | ||
| + | -b <backlog> Set max number of outstanding audit buffers | ||
| + | allowed Default=64 | ||
| + | -c Continue through errors in rules | ||
| + | -C f=f Compare collected fields if available: | ||
| + | Field name, operator(=,!=), field name | ||
| + | -d <l,a> Delete rule from <l>ist with <a>ction | ||
| + | l=task,exit,user,exclude | ||
| + | a=never,always | ||
| + | -D Delete all rules and watches | ||
| + | -e [0..2] Set enabled flag | ||
| + | -f [0..2] Set failure flag | ||
| + | 0=silent 1=printk 2=panic | ||
| + | -F f=v Build rule: field name, operator(=,!=,<,>,<=, | ||
| + | >=,&,&=) value | ||
| + | -h Help | ||
| + | -i Ignore errors when reading rules from file | ||
| + | -k <key> Set filter key on audit rule | ||
| + | -l List rules | ||
| + | -m text Send a user-space message | ||
| + | -p [r|w|x|a] Set permissions filter on watch | ||
| + | r=read, w=write, x=execute, a=attribute | ||
| + | -q <mount,subtree> make subtree part of mount point's dir watches | ||
| + | -r <rate> Set limit in messages/sec (0=none) | ||
| + | -R <file> read rules from file | ||
| + | -s Report status | ||
| + | -S syscall Build rule: syscall name or number | ||
| + | -t Trim directory watches | ||
| + | -v Version | ||
| + | -w <path> Insert watch at <path> | ||
| + | -W <path> Remove watch at <path> | ||
| + | --loginuid-immutable Make loginuids unchangeable once set | ||
| + | --backlog_wait_time Set the kernel backlog_wait_time | ||
| + | --reset-lost Reset the lost record counter | ||
| + | </pre> | ||
== See also == | == See also == | ||
| + | * {{auditctl}} | ||
* {{auditd}} | * {{auditd}} | ||
* {{lsof}} | * {{lsof}} | ||
| − | |||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 12:28, 28 September 2023
auditctl -s
auditctl -l No rules
auditctl -A exit,always -S connect
auditctl --help
usage: auditctl [options]
-a <l,a> Append rule to end of <l>ist with <a>ction
-A <l,a> Add rule at beginning of <l>ist with <a>ction
-b <backlog> Set max number of outstanding audit buffers
allowed Default=64
-c Continue through errors in rules
-C f=f Compare collected fields if available:
Field name, operator(=,!=), field name
-d <l,a> Delete rule from <l>ist with <a>ction
l=task,exit,user,exclude
a=never,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v Build rule: field name, operator(=,!=,<,>,<=,
>=,&,&=) value
-h Help
-i Ignore errors when reading rules from file
-k <key> Set filter key on audit rule
-l List rules
-m text Send a user-space message
-p [r|w|x|a] Set permissions filter on watch
r=read, w=write, x=execute, a=attribute
-q <mount,subtree> make subtree part of mount point's dir watches
-r <rate> Set limit in messages/sec (0=none)
-R <file> read rules from file
-s Report status
-S syscall Build rule: syscall name or number
-t Trim directory watches
-v Version
-w <path> Insert watch at <path>
-W <path> Remove watch at <path>
--loginuid-immutable Make loginuids unchangeable once set
--backlog_wait_time Set the kernel backlog_wait_time
--reset-lost Reset the lost record counter
See also[edit]
Advertising:
