UNIX ON-LINE Man Pages - Die Onlinehilfe

Die Syntax von Unixbefehlen wird in den entsprechenden Manpages dokumentiert. Hier können Sie diese Onlinehilfe für viele Standardbefehle abrufen.

Suchoptionen:
Seiten auflisten, welche beginnen mit:
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z   ALPHA   NUM   ANDERE   ALLE
AUDITCTL:(8)            System Administration Utilities           AUDITCTL:(8)

NAME
       auditctl - a utility to assist controlling the kernel's audit system

SYNOPSIS
       auditctl [options]

DESCRIPTION
       The  auditctl  program is used to control the behavior, get status, and
       add or delete rules into the 2.6 kernel's audit system.

OPTIONS
       -b backlog
              Set max number of  outstanding  audit  buffers  allowed  (Kernel
              Default=64)  If  all  buffers are full, the failure flag is con-
              sulted by the kernel for action.

       -e [0..2]
              Set enabled flag. When 0 is passed, this can  be  used  to  tem-
              porarily  disable  auditing. When 1 is passed as an argument, it
              will enable auditing. To lock the audit configuration so that it
              can't be changed, pass a 2 as the argument. Locking the configu-
              ration is intended to be the last  command  in  audit.rules  for
              anyone  wishing this feature to be active. Any attempt to change
              the configuration in this mode will be audited and  denied.  The
              configuration can only be changed by rebooting the machine.

       -f [0..2]
              Set failure flag 0=silent 1=printk 2=panic. This option lets you
              determine how you want the kernel  to  handle  critical  errors.
              Example conditions where this flag is consulted includes: trans-
              mission  errors  to  userspace  audit  daemon,   backlog   limit
              exceeded,  out  of  kernel  memory, and rate limit exceeded. The
              default value is 1. Secure environments will  probably  want  to
              set this to 2.

       -h     Help

       -i     Ignore errors when reading rules from a file

       -l     List all rules 1 per line. This can take a key option (-k), too.

       -k key Set a filter key on an audit rule. The filter key  is  an  arbi-
              trary  string  of  text  that can be up to 31 bytes long. It can
              uniquely identify the audit records produced by a rule.  Typical
              use  is  for when you have several rules that together satisfy a
              security requirement. The key value  can  be  searched  on  with
              ausearch  so  that no matter which rule triggered the event, you
              can find its results. The key can also be  used  on  delete  all
              (-D)  and  list  rules (-l) to select rules with a specific key.
              You may have more than one key on a rule if you want to be  able
              to  search logged events in multiple ways or if you have an aud-
              ispd plugin that uses a key to aid its analysis.

       -m text
              Send a user space message into the audit system. This  can  only
              be done by the root user.

       -p [r|w|x|a]
              Set permissions filter for a file system watch. r=read, w=write,
              x=execute, a=attribute change. These  permissions  are  not  the
              standard  file  permissions, but rather the kind of syscall that
              would do this kind of thing.  The  read  &  write  syscalls  are
              omitted  from  this set since they would overwhelm the logs. But
              rather for reads or writes, the open flags are looked at to  see
              what permission was requested.

       -q mount-point,subtree
              If  you  have an existing directory watch and bind or move mount
              another subtree in the watched subtree, you  need  to  tell  the
              kernel  to  make  the  subtree  being  mounted equivalent to the
              directory being watched. If the subtree is  already  mounted  at
              the time the directory watch is issued, the subtree is automati-
              cally tagged for watching. Please note the comma separating  the
              two values. Omitting it will cause errors.

       -r rate
              Set limit in messages/sec (0=none). If this rate is non-zero and
              is exceeded, the failure flag is consulted  by  the  kernel  for
              action. The default value is 0.

       -R file
              Read  rules from a file. The rules must be 1 per line and in the
              order that they are to be executed in. The  rule  file  must  be
              owned  by  root  and  not  readable by other users or it will be
              rejected. The rule file may have comments embedded  by  starting
              the  line  with a '#' character. Rules that are read from a file
              are identical to what you would type on a  command  line  except
              they  are  not  preceeded by auditctl (since auditctl is the one
              executing the file).

       -s     Report status. Note that a pid of 0  indicates  that  the  audit
              daemon is not running.

       -t     Trim the subtrees after a mount command.

       -a list,action
              Append  rule  to  the  end  of list with action. Please note the
              comma separating the two values. Omitting it will cause  errors.
              The following describes the valid list names:

              task        Add  a  rule to the per task list. This rule list is
                          used only at the time a  task  is  created  --  when
                          fork()  or  clone()  are  called by the parent task.
                          When using this list, you  should  only  use  fields
                          that  are  known  at task creation time, such as the
                          uid, gid, etc.

              exit        Add a rule to the syscall exit list.  This  list  is
                          used upon exit from a system call to determine if an
                          audit event should be created.

              user        Add a rule to the user  message  filter  list.  This
                          list  is  used by the kernel to filter events origi-
                          nating in user space before  relaying  them  to  the
                          audit  daemon.  It  should  be  noted  that the only
                          fields that are valid are: uid, auid, gid, and  pid.
                          All other fields will be treated as non-matching.

              exclude     Add  a rule to the event type exclusion filter list.
                          This list is used to filter events that you  do  not
                          want  to see. For example, if you do not want to see
                          any avc messages,  you  would  using  this  list  to
                          record  that.  The message type that you do not wish
                          to see is given with the msgtype field.

       The following describes the valid actions for the rule:

              never       No audit records will be generated. This can be used
                          to  suppress  event generation. In general, you want
                          suppressions at the top of the list instead  of  the
                          bottom.  This  is  because the event triggers on the
                          first matching rule.

              always      Allocate an audit context,  always  fill  it  in  at
                          syscall entry time, and always write out a record at
                          syscall exit time.

       -A list,action
              Add rule to the beginning list with action.

       -d list,action
              Delete rule from list with action. The rule is deleted  only  if
              it exactly matches syscall name and field names.

       -D     Delete  all  rules and watches. This can take a key option (-k),
              too.

       -S [Syscall name or number|all]
              Any syscall name or number may be used. The word 'all' may  also
              be  used.   If  this syscall is made by a program, then start an
              audit record. If a field rule is given and no syscall is  speci-
              fied, it will default to all syscalls. You may also specify mul-
              tiple syscalls in the same rule by using multiple -S options  in
              the  same  rule. Doing so improves performance since fewer rules
              need to be evaluated. If you  are  on  a  bi-arch  system,  like
              x86_64, you should be aware that auditctl simply takes the text,
              looks it up for the native arch (in this  case  b64)  and  sends
              that  rule to the kernel. If there are no additional arch direc-
              tives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have
              undesirable  effects since there is no guarantee that, for exam-
              ple, the open syscall has the same number on both 32 and 64  bit
              interfaces.  You may want to control this and write 2 rules, one
              with arch equal to b32 and one with b64 to make sure the  kernel
              finds the events that you intend.

       -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
              Build  a  rule field: name, operation, value. You may have up to
              64 fields passed on a single command line. Each one  must  start
              with -F. Each field equation is anded with each other to trigger
              an audit record. There are 8 operators supported  -  equal,  not
              equal,  less than, greater than, less than or equal, and greater
              than or equal, bit mask, and bit  test  respectively.  Bit  test
              will  "and"  the  values and check that they are equal, bit mask
              just "ands" the values. Fields that take a user ID  may  instead
              have  the user's name; the program will convert the name to user
              ID. The same is true of group names. Valid fields are:

              a0, a1, a2, a3
                          Respectively, the first 4 arguments  to  a  syscall.
                          Note  that  string arguments are not supported. This
                          is because the kernel is passed  a  pointer  to  the
                          string. Triggering on a pointer address value is not
                          likely to work. So, when using this, you should only
                          use  on  numeric  values.  This is most likely to be
                          used on platforms that multiplex socket or IPC oper-
                          ations.

              arch        The CPU architecture of the syscall. The arch can be
                          found doing 'uname -m'. If you do not know the  arch
                          of  your  machine  but  you  want  to use the 32 bit
                          syscall table and your machine supports 32 bit,  you
                          can  also  use b32 for the arch. The same applies to
                          the 64 bit syscall table, you can use b64.  In  this
                          way,  you  can  write  rules  that are somewhat arch
                          independent because the family  type  will  be  auto
                          detected. However, syscalls can be arch specific and
                          what is available on x86_64, may not be available on
                          ppc. The arch directive should preceed the -S option
                          so that auditctl knows which internal table  to  use
                          to look up the syscall numbers.

              auid        The  original  ID  the  user  logged in with. Its an
                          abbreviation of audit uid. Sometimes its referred to
                          as  loginuid. Either the text or number may be used.

              devmajor    Device Major Number

              devminor    Device Minor Number

              dir         Full Path of Directory to watch. This will  place  a
                          recursive  watch on the directory and its whole sub-
                          tree. Should only be used on exit list. See "-w".

              egid        Effective Group ID

              euid        Effective User ID

              exit        Exit value from a syscall. If the exit  code  is  an
                          errno, you may use the text representation, too.

              fsgid       Filesystem Group ID

              fsuid       Filesystem User ID

              filetype    The  target  file's  type.  Can be either file, dir,
                          socket, symlink, char, block, or fifo.

              gid         Group ID

              inode       Inode Number

              key         This is another way of setting  a  filter  key.  See
                          discussion above for -k option.

              msgtype     This  is  used  to match the message type number. It
                          should only be used on the exclude filter list.

              obj_user    Resource's SE Linux User

              obj_role    Resource's SE Linux Role

              obj_type    Resource's SE Linux Type

              obj_lev_low Resource's SE Linux Low Level

              obj_lev_high
                          Resource's SE Linux High Level

              path        Full Path of File to watch. Should only be  used  on
                          exit list.

              perm        Permission  filter  for  file  operations. See "-p".
                          Should only be used on exit list. You can  use  this
                          without  specifying  a  syscall  and the kernel will
                          select the syscalls  that  satisfy  the  permissions
                          being requested.

              pers        OS Personality Number

              pid         Process ID

              ppid        Parent's Process ID

              subj_user   Program's SE Linux User

              subj_role   Program's SE Linux Role

              subj_type   Program's SE Linux Type

              subj_sen    Program's SE Linux Sensitivity

              subj_clr    Program's SE Linux Clearance

              sgid        Saved Group ID. See getresgid(2) man page.

              success     If the exit value is >= 0 this is true/yes otherwise
                          its false/no. When writing  a  rule,  use  a  1  for
                          true/yes and a 0 for false/no

              suid        Saved User ID. See getresuid(2) man page.

              uid         User ID

       -w path
              Insert  a  watch  for the file system object at path. You cannot
              insert a watch to the top level directory. This is prohibited by
              the kernel. Wildcards are not supported either and will generate
              a warning. The way that watches work is by  tracking  the  inode
              internally.  If  you  place  a  watch on a file, its the same as
              using the -F path option on a syscall rule. If you place a watch
              on  a  directory,  its  the same as using the -F dir option on a
              syscall rule. The -w form of writing watches  is  for  backwards
              compatibility  and  the  syscall  based form is more expressive.
              Unlike most syscall auditing rules, watches do not  impact  per-
              formance  based  on  the number of rules sent to the kernel. The
              only valid options when using a watch are the -p and -k. If  you
              need  to  anything  fancy like audit a specific user accessing a
              file, then use the syscall auditing form with the  path  or  dir
              fields.  See  the  EXAMPLES section for an example of converting
              one form to another.

       -W path
              Remove a watch for the file system object at path.

PERFORMANCE TIPS
       Syscall rules get evaluated for each syscall for each program.  If  you
       have 10 syscall rules, every program on your system will delay during a
       syscall while the audit system evaulates each  one.  Too  many  syscall
       rules will hurt performance. Try to combine as many as you can whenever
       the filter, action, key, and fields are identical. For example:

       auditctl -a exit,always -S open -F success=0
       auditctl -a exit,always -S truncate -F success=0

       could be re-written as one rule:

       auditctl -a exit,always -S open -S truncate -F success=0

       Also, try to use file system auditing wherever practical. This improves
       performance.  For  example,  if  you were wanting to capture all failed
       opens & truncates like above, but were only concerned  about  files  in
       /etc  and  didn't  care  about  /usr or /sbin, its possible to use this
       rule:

       auditctl -a exit,always -S open -S truncate -F dir=/etc -F success=0

       This will be higher performance since the kernel will not  evaluate  it
       each  and  every syscall. It will be handled by the filesystem auditing
       code and only checked on filesystem related syscalls.

EXAMPLES
       To see all syscalls made by a specific program:

       auditctl -a exit,always -S all -F pid=1005

       To see files opened by a specific user:

       auditctl -a exit,always -S open -F auid=510

       To see unsuccessful open call's:

       auditctl -a exit,always -S open -F success=0

       To watch a file for changes (2 ways to express):

       auditctl -w /etc/shadow -p wa
       auditctl -a exit,always -F path=/etc/shadow -F perm=wa

       To recursively watch a directory for changes (2 ways to express):

       auditctl -w /etc/ -p wa
       auditctl -a exit,always -F dir=/etc/ -F perm=wa

FILES
       /etc/audit/audit.rules

SEE ALSO
       audit.rules(7), auditd(8).

AUTHOR
       Steve Grubb

Red Hat                            Aug 2009                       AUDITCTL:(8)
 

Scannen Sie den Barcode um die Webseite zu öffnen


Quelle: http://www.trinler.net/de/service/doc/linux/man.html?command=auditctl
Gedruckt am: 13.12.2017 12:11 GMT+0100 (2017-12-13T12:11:49+01:00)