Re: auditctl usage for filter lists: "user" , "watch" and "exclude"
On Thursday 18 May 2006 10:47, Michael C Thompson wrote:
but I have very little idea f how user is meant to be used, and none
about
watch.
First, watch doesn't exist. I deleted it from the man pages yesterday.
User is used to filter userspace originating audit messages. For example, you
can use passwd and a message can be generated saying that a users password
has been changed. You can filter those events so that they do not hit the
audit logs.
auditctl -a user,always -F uid=500
For the exclude list,
exclude,always -F msgtype=SYSCALL
seems to be the only valid structure, where msgtype can be any value
(XXX) for the type in the audit.log? (where the 1st field in the audit
log is type=XXX)
Yes. But note that you can also do things like this:
-a exclude,always -F 'msgtype>=DAEMON_START' -F
'msgtype<=DAEMON_ROTATE'
to take out a whole range of message types.
Are there more filters that apply? (and does it have any meaning
without
a filter?)
No
-Steve