auditd (Linux Audit Daemon) rule
auditd.rule MQL resource for querying Operating System infrastructure with cnquery and cnspec.
auditd (Linux Audit Daemon) rule
Relationships
Fields (3)
| Field | Type | Description |
|---|---|---|
controlprivate | auditd.rule.control | auditd (Linux Audit Daemon) rule for a control |
fileprivate | auditd.rule.file | auditd (Linux Audit Daemon) rule for a file |
syscallprivate | auditd.rule.syscall | auditd (Linux Audit Daemon) rule for a syscall |
Field Details
controlauditd.rule.control
We translate these into simple key-value pairs consisting of a flag and a value eg: --backlog_wait_time 60000 => {flag: "--backlog_wait_time", value: "60000"} eg: -b 8192 => {flag: "-b", value: "8192"} eg: -D => {flag: "-D", value: nil}
fileauditd.rule.file
eg: -w /etc/shadow -p rw -k shadow_access => {path: "/etc/shadow", permissions: "rw", keyname: "shadow_access"}
syscallauditd.rule.syscall
eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset => { action: "always", list: "exit", syscalls: [], field_entries: [ key="arch" op="=" value="b32" key="auid" op=">=" value="1000" key="auid" op="!=" value="unset" ], keyname: nil, }
auditd (Linux Audit Daemon) rules aggregated on disk
via /etc/audit/audit.rules by default
auditd (Linux Audit Daemon) rule for a control
We translate these into simple key-value pairs consisting of a flag and a value eg: --backlog_wait_time 60000 => (flag: "--backlog_wait_time", value: "60000") eg: -b 8192 => (flag: "-b", value: "8192") eg: -D => (flag: "-D", value: nil)