Steve,

Here are examples of some rules we have been working with:

Adding rules:

auditctl -a exit,never -S mount
auditctl -a entry,always -S access -F a1=4
auditctl -a exit,always -S ipc -F a0=2

Deleting rules:

auditctl -d exit,never -S mount
auditctl -d entry,always -S access -F a1=4
auditctl -d exit,always -S ipc -F a0=2

Examples we would like to have:

Task rules.
Examples using more of the -F fields, including mulltiple -F fields in one rule.



Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw@us.ibm.com
Inactive hide details for Steve Grubb <sgrubb@redhat.com>Steve Grubb <sgrubb@redhat.com>


          Steve Grubb <sgrubb@redhat.com>
          Sent by: linux-audit-bounces@redhat.com

          02/10/2005 12:35 PM
          Please respond to
          Linux Audit Discussion

To

Linux Audit Discussion <linux-audit@redhat.com>

cc


Subject

Sample Rules

Hi,

I'm getting closer to releasing the next version of the audit daemon. I'm
wanting to include a file that has sample auditctl rules demonstrating how to
do various things. I'm open to ideas. What common tasks should be included?
Note the file will be installed in the docs directory rather than being the
default ruleset.

-Steve Grubb

--
Linux-audit mailing list
Linux-audit@redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit