auditd (Linux Audit Daemon) rule for a file
eg: -w /etc/shadow -p rw -k shadow_access => (path: "/etc/shadow", permissions: "rw", keyname: "shadow_access")
auditd (Linux Audit Daemon) rule for a file
eg: -w /etc/shadow -p rw -k shadow_access => {path: "/etc/shadow", permissions: "rw", keyname: "shadow_access"}
path permissionsRelationships
Fields (3)
| Field | Type | Description |
|---|---|---|
keynamerequired | string | the key name for related rules as specified by -k |
pathrequired | string | the path this rule matches as specified by -w |
permissionsrequired | string | the permissions specified by this rule via -p |
auditd (Linux Audit Daemon) rule for a control
We translate these into simple key-value pairs consisting of a flag and a value eg: --backlog_wait_time 60000 => (flag: "--backlog_wait_time", value: "60000") eg: -b 8192 => (flag: "-b", value: "8192") eg: -D => (flag: "-D", value: nil)
auditd (Linux Audit Daemon) rule for a syscall
eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset => ( action: "always", list: "exit", syscalls: [], field_entries: [ key="arch" op="=" value="b32" key="auid" op=">=" value="1000" key="auid" op="!=" value="unset" ], keyname: nil, )