I just spent a chunk of time debugging an issue with my audit.rules
file. So I just wanted to post here as (1) a feature request and (2)
a note for others that may be heading down this path.
The situation is that I have some longish lines in my
/etc/audit/audit.rules file. So, to clean things up, I broke them
into multiple lines as follows...
Something like this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
auid>=1000 -F auid!=4294967295 -k perm_mod
Became this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \
-F auid!=4294967295 -k perm_mod
This change, however, breaks the parsing by auditctl.
It would be nice to have the ability to have multiline entries in the
rules file. But in the mean time, hopefully this note could help to
save someone else some time.
Cheers,
-bryan
Show replies by date