1AUDITCTL:(8) System Administration Utilities AUDITCTL:(8)
2
6 auditctl - a utility to assist controlling the kernel's audit system
7
9 auditctl [options]
10
12 The auditctl program is used to control the behavior, get status, and
13 add or delete rules into the 2.6 kernel's audit system.
14
16 -b backlog
17 Set max number of outstanding audit buffers allowed (Kernel
18 Default=64) If all buffers are full, the failure flag is con‐
19 sulted by the kernel for action.
20 -e [0..2]
22 Set enabled flag. When 0 is passed, this can be used to tempo‐
23 rarily disable auditing. When 1 is passed as an argument, it
24 will enable auditing. To lock the audit configuration so that it
25 can't be changed, pass a 2 as the argument. Locking the configu‐
26 ration is intended to be the last command in audit.rules for
27 anyone wishing this feature to be active. Any attempt to change
28 the configuration in this mode will be audited and denied. The
29 configuration can only be changed by rebooting the machine.
30 -f [0..2]
32 Set failure flag 0=silent 1=printk 2=panic. This option lets you
33 determine how you want the kernel to handle critical errors.
34 Example conditions where this flag is consulted includes: trans‐
35 mission errors to userspace audit daemon, backlog limit
36 exceeded, out of kernel memory, and rate limit exceeded. The
37 default value is 1. Secure environments will probably want to
38 set this to 2.
39 -h Help
41 -i Ignore errors when reading rules from a file
43 -l List all rules 1 per line.
45 -k key Set a filter key on an audit rule. The filter key is an arbi‐
47 trary string of text that can be up to 31 bytes long. It can
48 uniquely identify the audit records produced by the watch.
49 -m text
51 Send a user space message into the audit system. This can only
52 be done by the root user.
53 -p [r|w|x|a]
55 Set permissions filter for a file system watch. r=read, w=write,
56 x=execute, a=attribute change. These permissions are not the
57 standard file permissions, but rather the kind of syscall that
58 would do this kind of thing. The read & write syscalls are omit‐
59 ted from this set since they would overwhelm the logs. But
60 rather for reads or writes, the open flags are looked at to see
61 what permission was requested.
62 -q mount-point,subtree
64 If you have an existing directory watch and bind or move mount
65 another subtree in the watched subtree, you need to tell the
66 kernel to make the subtree being mounted equivalent to the
67 directory being watched. If the subtree is already mounted at
68 the time the directory watch is issued, the subtree is automati‐
69 cally tagged for watching. Please note the comma separating the
70 two values. Omitting it will cause errors.
71 -r rate
73 Set limit in messages/sec (0=none). If this rate is non-zero and
74 is exceeded, the failure flag is consulted by the kernel for
75 action. The default value is 0.
76 -R file
78 Read rules from a file. The rules must be 1 per line and in the
79 order that they are to be executed in. The rule file must be
80 owned by root and not readable by other users or it will be
81 rejected. The rule file may have comments embedded by starting
82 the line with a '#' character. Rules that are read from a file
83 are identical to what you would type on a command line except
84 they are not preceeded by auditctl (since auditctl is the one
85 executing the file).
86 -s Report status
88 -t Trim the subtrees after a mount command.
90 -a list,action
92 Append rule to the end of list with action. Please note the
93 comma separating the two values. Omitting it will cause errors.
94 The following describes the valid list names:
95 task Add a rule to the per task list. This rule list is
97 used only at the time a task is created -- when
98 fork() or clone() are called by the parent task.
99 When using this list, you should only use fields
100 that are known at task creation time, such as the
101 uid, gid, etc.
102 entry Add a rule to the syscall entry list. This list is
104 used upon entry to a system call to determine if an
105 audit event should be created.
106 exit Add a rule to the syscall exit list. This list is
108 used upon exit from a system call to determine if an
109 audit event should be created.
110 user Add a rule to the user message filter list. This
112 list is used by the kernel to filter events origi‐
113 nating in user space before relaying them to the
114 audit daemon. It should be noted that the only
115 fields that are valid are: uid, auid, gid, and pid.
116 All other fields will be treated as non-matching.
117 exclude Add a rule to the event type exclusion filter list.
119 This list is used to filter events that you do not
120 want to see. For example, if you do not want to see
121 any avc messages, you would using this list to
122 record that. The message type that you do not wish
123 to see is given with the msgtype field.
124 The following describes the valid actions for the rule:
126 never No audit records will be generated. This can be used
128 to suppress event generation. In general, you want
129 suppressions at the top of the list instead of the
130 bottom. This is because the event triggers on the
131 first matching rule.
132 always Allocate an audit context, always fill it in at
134 syscall entry time, and always write out a record at
135 syscall exit time.
136 -A list,action
138 Add rule to the beginning list with action.
139 -d list,action
141 Delete rule from list with action. The rule is deleted only if
142 it exactly matches syscall name and field names.
143 -D Delete all rules and watches.
145 -S [Syscall name or number|all]
147 Any syscall name or number may be used. The word 'all' may also
148 be used. If this syscall is made by a program, then start an
149 audit record. If a field rule is given and no syscall is speci‐
150 fied, it will default to all syscalls. You may also specify mul‐
151 tiple syscalls in the same rule. Doing so improves performance
152 since fewer rules need to be evaluated.
153 -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
155 Build a rule field: name, operation, value. You may have up to
156 64 fields passed on a single command line. Each one must start
157 with -F. Each field equation is anded with each other to trigger
158 an audit record. There are 8 operators supported - equal, not
159 equal, less than, greater than, less than or equal, and greater
160 than or equal, bit mask, and bit test respectively. Bit test
161 will "and" the values and check that they are equal, bit mask
162 just "ands" the values. Fields that take a user ID may instead
163 have the user's name; the program will convert the name to user
164 ID. The same is true of group names. Valid fields are:
165 a0, a1, a2, a3
167 Respectively, the first 4 arguments to a syscall.
168 Note that string arguments are not supported. This
169 is because the kernel is passed a pointer to the
170 string. Triggering on a pointer address value is not
171 likely to work. So, when using this, you should only
172 use on numeric values. This is most likely to be
173 used on platforms that multiplex socket or IPC oper‐
174 ations.
175 arch The CPU architecture of the syscall. The arch can be
177 found doing 'uname -m'. If you do not know the arch
178 of your machine but you want to use the 32 bit
179 syscall table and your machine supports 32 bit, you
180 can also use
181 auid The original ID the user logged in with. Its an
183 abbreviation of audit uid.
184 b32 for the arch. The same applies to the 64 bit syscall
186 table, you can use
187 b64.
189 devmajor Device Major Number
191 devminor Device Minor Number
193 dir Full Path of Directory to watch. See "-w". Should
195 only be used on exit list.
196 egid Effective Group ID
198 euid Effective User ID
200 exit Exit value from a syscall
202 fsgid Filesystem Group ID
204 fsuid Filesystem User ID
206 gid Group ID
208 inode Inode Number
210 key This is another way of setting a filter key. See
212 discussion above for -k option.
213 msgtype This is used to match the message type number. It
215 should only be used on the exclude filter list.
216 obj_user Resource's SE Linux User
218 obj_role Resource's SE Linux Role
220 obj_type Resource's SE Linux Type
222 obj_lev_low Resource's SE Linux Low Level
224 obj_lev_high
226 Resource's SE Linux High Level
227 path Full Path of File to watch. See "-w". Should only be
229 used on exit list.
230 perm Permission filter for file operations. See "-p".
232 Should only be used on exit list.
233 pers OS Personality Number
235 pid Process ID
237 ppid Parent's Process ID
239 subj_user Program's SE Linux User
241 subj_role Program's SE Linux Role
243 subj_type Program's SE Linux Type
245 subj_sen Program's SE Linux Sensitivity
247 subj_clr Program's SE Linux Clearance
249 sgid Set Group ID
251 success If the exit value is >= 0 this is true/yes otherwise
253 its false/no. When writing a rule, use a 1 for
254 true/yes and a 0 for false/no
255 suid Set User ID
257 uid User ID
259 -w path
261 Insert a watch for the file system object at path. You cannot
262 insert a watch to the top level directory. This is prohibited by
263 the kernel. Wildcards are not supported either and will generate
264 a warning. The way that watches work is by tracking the inode
265 internally. This means that if you put a watch on a directory,
266 you will see what appears to be file events, but it is really
267 just the updating of meta data. You might miss a few events by
268 doing this. If you need to watch all files in a directory, its
269 recommended to place an individual watch on each file. Unlike
270 syscall auditing rules, watches do not impact performance based
271 on the number of rules sent to the kernel.
272 -W path
274 Remove a watch for the file system object at path.
275
277 To see all syscalls made by a specific program:
278 auditctl -a entry,always -S all -F pid=1005
280 To see files opened by a specific user:
282 auditctl -a exit,always -S open -F auid=510
284 To see unsuccessful open call's:
286 auditctl -a exit,always -S open -F success!=0
288
291 /etc/audit/audit.rules
292
295 auditd(8).
296
299 Steve Grubb
300Red Hat Jan 2007 AUDITCTL:(8)