Mondoo Docs
MQL ResourcesOperating Systemauditdauditd (Linux Audit Daemon) rule

auditd (Linux Audit Daemon) rule for a syscall

eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset => ( action: "always", list: "exit", syscalls: [], field_entries: [ key="arch" op="=" value="b32" key="auid" op=">=" value="1000" key="auid" op="!=" value="unset" ], keyname: nil, )

Operating SystemPrivate Resource

auditd (Linux Audit Daemon) rule for a syscall

eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset => { action: "always", list: "exit", syscalls: [], field_entries: [ key="arch" op="=" value="b32" key="auid" op=">=" value="1000" key="auid" op="!=" value="unset" ], keyname: nil, }

Min version: 9.0.0Defaults: action list

Relationships

Mini Map
Operating System
3 resources · 2 relationshipsClick to select, expand fields to see properties.

Fields (5)

FieldTypeDescription
actionrequired
stringthe action specified by -a
fieldsrequired
[]dictall field entries as raw values as specified by -F
keynamerequired
stringthe key name for related rules as specified by -k
listrequired
stringthe list, the second value specified by -a
syscallsrequired
[]stringthe list of syscalls that this rule matches specified by -S

auditd (Linux Audit Daemon) rule for a file

eg: -w /etc/shadow -p rw -k shadow_access => (path: "/etc/shadow", permissions: "rw", keyname: "shadow_access")

Windows audit policies

auditpol MQL resource for querying Operating System infrastructure with cnquery and cnspec.