Provided by: auditd_1.7.18-1ubuntu1_i386 bug


       auditctl - a utility to assist controlling the kernel's audit system


       auditctl [options]


       The  auditctl  program is used to control the behavior, get status, and
       add or delete rules into the 2.6 kernel's audit system.


       -b backlog
              Set max number of  outstanding  audit  buffers  allowed  (Kernel
              Default=64)  If  all  buffers  are  full,  the  failure  flag is
              consulted by the kernel for action.

       -e [0..2]
              Set enabled flag.  When  0  is  passed,  this  can  be  used  to
              temporarily  disable  auditing. When 1 is passed as an argument,
              it will enable auditing. To lock the audit configuration so that
              it  can't  be  changed,  pass  a  2 as the argument. Locking the
              configuration is intended to be the last command in  audit.rules
              for  anyone  wishing  this  feature to be active. Any attempt to
              change the configuration  in  this  mode  will  be  audited  and
              denied.  The  configuration can only be changed by rebooting the

       -f [0..2]
              Set failure flag 0=silent 1=printk 2=panic. This option lets you
              determine  how  you  want  the kernel to handle critical errors.
              Example  conditions  where  this  flag  is  consulted  includes:
              transmission  errors  to  userspace  audit daemon, backlog limit
              exceeded, out of kernel memory, and  rate  limit  exceeded.  The
              default  value  is  1. Secure environments will probably want to
              set this to 2.

       -h     Help

       -i     Ignore errors when reading rules from a file

       -l     List all rules 1 per line. This can take a key option (-k), too.

       -k key Set a filter key  on  an  audit  rule.  The  filter  key  is  an
              arbitrary string of text that can be up to 31 bytes long. It can
              uniquely identify the audit records produced by a rule.  Typical
              use  is  for when you have several rules that together satisfy a
              security requirement. The key value  can  be  searched  on  with
              ausearch  so  that no matter which rule triggered the event, you
              can find its results. The key can also be  used  on  delete  all
              (-D)  and  list  rules (-l) to select rules with a specific key.
              You may have more than one key on a rule if you want to be  able
              to  search  logged  events  in  multiple  ways or if you have an
              audispd plugin that uses a key to aid its analysis.

       -m text
              Send a user space message into the audit system. This  can  only
              be done by the root user.

       -p [r|w|x|a]
              Set permissions filter for a file system watch. r=read, w=write,
              x=execute, a=attribute change. These  permissions  are  not  the
              standard  file  permissions, but rather the kind of syscall that
              would do this kind of thing.  The  read  &  write  syscalls  are
              omitted  from  this set since they would overwhelm the logs. But
              rather for reads or writes, the open flags are looked at to  see
              what permission was requested.

       -q mount-point,subtree
              If  you  have an existing directory watch and bind or move mount
              another subtree in the watched subtree, you  need  to  tell  the
              kernel  to  make  the  subtree  being  mounted equivalent to the
              directory being watched. If the subtree is  already  mounted  at
              the   time  the  directory  watch  is  issued,  the  subtree  is
              automatically  tagged  for  watching.  Please  note  the   comma
              separating the two values. Omitting it will cause errors.

       -r rate
              Set limit in messages/sec (0=none). If this rate is non-zero and
              is exceeded, the failure flag is consulted  by  the  kernel  for
              action. The default value is 0.

       -R file
              Read  rules from a file. The rules must be 1 per line and in the
              order that they are to be executed in. The  rule  file  must  be
              owned  by  root  and  not  readable by other users or it will be
              rejected. The rule file may have comments embedded  by  starting
              the  line  with a '#' character. Rules that are read from a file
              are identical to what you would type on a  command  line  except
              they  are  not  preceded  by auditctl (since auditctl is the one
              executing the file).

       -s     Report status. Note that a pid of 0  indicates  that  the  audit
              daemon is not running.

       -t     Trim the subtrees after a mount command.

       -a list,action
              Append  rule  to  the  end  of list with action. Please note the
              comma separating the two values. Omitting it will cause  errors.
              The following describes the valid list names:

              task        Add  a  rule to the per task list. This rule list is
                          used only at the time a  task  is  created  --  when
                          fork()  or  clone()  are  called by the parent task.
                          When using this list, you  should  only  use  fields
                          that  are  known  at task creation time, such as the
                          uid, gid, etc.

              entry       Add a rule to the syscall entry list. This  list  is
                          used  upon entry to a system call to determine if an
                          audit event should be created.

              exit        Add a rule to the syscall exit list.  This  list  is
                          used upon exit from a system call to determine if an
                          audit event should be created.

              user        Add a rule to the user  message  filter  list.  This
                          list   is  used  by  the  kernel  to  filter  events
                          originating in user space before  relaying  them  to
                          the  audit  daemon. It should be noted that the only
                          fields that are valid are: uid, auid, gid, and  pid.
                          All other fields will be treated as non-matching.

              exclude     Add  a rule to the event type exclusion filter list.
                          This list is used to filter events that you  do  not
                          want  to see. For example, if you do not want to see
                          any avc messages,  you  would  using  this  list  to
                          record  that.  The message type that you do not wish
                          to see is given with the msgtype field.

       The following describes the valid actions for the rule:

              never       No audit records will be generated. This can be used
                          to  suppress  event generation. In general, you want
                          suppressions at the top of the list instead  of  the
                          bottom.  This  is  because the event triggers on the
                          first matching rule.

              always      Allocate an audit context,  always  fill  it  in  at
                          syscall entry time, and always write out a record at
                          syscall exit time.

       -A list,action
              Add rule to the beginning list with action.

       -d list,action
              Delete rule from list with action. The rule is deleted  only  if
              it exactly matches syscall name and field names.

       -D     Delete  all  rules and watches. This can take a key option (-k),

       -S [Syscall name or number|all]
              Any syscall name or number may be used. The word 'all' may  also
              be  used.   If  this syscall is made by a program, then start an
              audit record. If a  field  rule  is  given  and  no  syscall  is
              specified, it will default to all syscalls. You may also specify
              multiple syscalls in the same rule by using multiple -S  options
              in  the  same  rule.  Doing  so improves performance since fewer
              rules need to be evaluated. If you are on a bi-arch system, like
              x86_64, you should be aware that auditctl simply takes the text,
              looks it up for the native arch (in this  case  b64)  and  sends
              that  rule  to  the  kernel.  If  there  are  no additional arch
              directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can
              have  undesirable  effects since there is no guarantee that, for
              example, the open syscall has the same number on both 32 and  64
              bit  interfaces. You may want to control this and write 2 rules,
              one with arch equal to b32 and one with b64  to  make  sure  the
              kernel finds the events that you intend.

       -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
              Build  a  rule field: name, operation, value. You may have up to
              64 fields passed on a single command line. Each one  must  start
              with -F. Each field equation is anded with each other to trigger
              an audit record. There are 8 operators supported  -  equal,  not
              equal,  less than, greater than, less than or equal, and greater
              than or equal, bit mask, and bit  test  respectively.  Bit  test
              will  "and"  the  values and check that they are equal, bit mask
              just "ands" the values. Fields that take a user ID  may  instead
              have  the user's name; the program will convert the name to user
              ID. The same is true of group names. Valid fields are:

              a0, a1, a2, a3
                          Respectively, the first 4 arguments  to  a  syscall.
                          Note  that  string arguments are not supported. This
                          is because the kernel is passed  a  pointer  to  the
                          string. Triggering on a pointer address value is not
                          likely to work. So, when using this, you should only
                          use  on  numeric  values.  This is most likely to be
                          used on  platforms  that  multiplex  socket  or  IPC

              arch        The CPU architecture of the syscall. The arch can be
                          found doing 'uname -m'. If you do not know the  arch
                          of  your  machine  but  you  want  to use the 32 bit
                          syscall table and your machine supports 32 bit,  you
                          can  also  use b32 for the arch. The same applies to
                          the 64 bit syscall table, you can use b64.  In  this
                          way,  you  can  write  rules  that are somewhat arch
                          independent because the family  type  will  be  auto
                          detected. However, syscalls can be arch specific and
                          what is available on x86_64, may not be available on
                          ppc. The arch directive should preceed the -S option
                          so that auditctl knows which internal table  to  use
                          to look up the syscall numbers.

              auid        The  original  ID  the  user  logged in with. Its an
                          abbreviation of audit uid. Sometimes its referred to
                          as loginuid. Either the text or number may be used.

              devmajor    Device Major Number

              devminor    Device Minor Number

              dir         Full  Path  of Directory to watch. This will place a
                          recursive watch  on  the  directory  and  its  whole
                          subtree. Should only be used on exit list. See "-w".

              egid        Effective Group ID

              euid        Effective User ID

              exit        Exit  value  from  a syscall. If the exit code is an
                          errno, you may use the text representation, too.

              fsgid       Filesystem Group ID

              fsuid       Filesystem User ID

              filetype    The target file's type. Can  be  either  file,  dir,
                          socket, symlink, char, block, or fifo.

              gid         Group ID

              inode       Inode Number

              key         This  is  another  way  of setting a filter key. See
                          discussion above for -k option.

              msgtype     This is used to match the message  type  number.  It
                          should only be used on the exclude filter list.

              obj_user    Resource's SE Linux User

              obj_role    Resource's SE Linux Role

              obj_type    Resource's SE Linux Type

              obj_lev_low Resource's SE Linux Low Level

                          Resource's SE Linux High Level

              path        Full  Path  of File to watch. Should only be used on
                          exit list.

              perm        Permission filter for  file  operations.  See  "-p".
                          Should  only  be used on exit list. You can use this
                          without specifying a syscall  and  the  kernel  will
                          select  the  syscalls  that  satisfy the permissions
                          being requested.

              pers        OS Personality Number

              pid         Process ID

              ppid        Parent's Process ID

              subj_user   Program's SE Linux User

              subj_role   Program's SE Linux Role

              subj_type   Program's SE Linux Type

              subj_sen    Program's SE Linux Sensitivity

              subj_clr    Program's SE Linux Clearance

              sgid        Saved Group ID. See getresgid(2) man page.

              success     If the exit value is >= 0 this is true/yes otherwise
                          its  false/no.  When  writing  a  rule,  use a 1 for
                          true/yes and a 0 for false/no

              suid        Saved User ID. See getresuid(2) man page.

              uid         User ID

       -w path
              Insert a watch for the file system object at  path.  You  cannot
              insert a watch to the top level directory. This is prohibited by
              the kernel. Wildcards are not supported either and will generate
              a  warning.  The  way that watches work is by tracking the inode
              internally. If you place a watch on a  file,  its  the  same  as
              using the -F path option on a syscall rule. If you place a watch
              on a directory, its the same as using the -F  dir  option  on  a
              syscall  rule.  The  -w form of writing watches is for backwards
              compatibility and the syscall based  form  is  more  expressive.
              Unlike  most  syscall  auditing  rules,  watches  do  not impact
              performance based on the number of rules sent to the kernel. The
              only  valid options when using a watch are the -p and -k. If you
              need to anything fancy like audit a specific  user  accessing  a
              file,  then  use  the syscall auditing form with the path or dir
              fields. See the EXAMPLES section for an  example  of  converting
              one form to another.

       -W path
              Remove a watch for the file system object at path.


       Syscall  rules  get evaluated for each syscall for each program. If you
       have 10 syscall rules, every program on your system will delay during a
       syscall  while  the  audit  system evaulates each one. Too many syscall
       rules will hurt performance. Try to combine as many as you can whenever
       the filter, action, key, and fields are identical. For example:

       auditctl -a exit,always -S open -F success=0
       auditctl -a exit,always -S truncate -F success=0

       could be re-written as one rule:

       auditctl -a exit,always -S open -S truncate -F success=0

       Also, try to use file system auditing wherever practical. This improves
       performance. For example, if you were wanting  to  capture  all  failed
       opens  &  truncates  like above, but were only concerned about files in
       /etc and didn't care about /usr or /sbin,  its  possible  to  use  this

       auditctl -a exit,always -S open -S truncate -F dir=/etc -F success=0

       This  will  be higher performance since the kernel will not evaluate it
       each and every syscall. It will be handled by the  filesystem  auditing
       code and only checked on filesystem related syscalls.


       To see all syscalls made by a specific program:

       auditctl -a entry,always -S all -F pid=1005

       To see files opened by a specific user:

       auditctl -a exit,always -S open -F auid=510

       To see unsuccessful open call's:

       auditctl -a exit,always -S open -F success=0

       To watch a file for changes (2 ways to express):

       auditctl -w /etc/shadow -p wa
       auditctl -a exit,always -F path=/etc/shadow -F perm=wa

       To recursively watch a directory for changes (2 ways to express):

       auditctl -w /etc/ -p wa
       auditctl -a exit,always -F dir=/etc/ -F perm=wa




       audit.rules(7), auditd(8).


       Steve Grubb