From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.7 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4F64C432BE for ; Thu, 2 Sep 2021 12:44:49 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 49F42610D2 for ; Thu, 2 Sep 2021 12:44:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 49F42610D2 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-330-x-F4H4cQPCaAaCK5IsRn2w-1; Thu, 02 Sep 2021 08:44:46 -0400 X-MC-Unique: x-F4H4cQPCaAaCK5IsRn2w-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CA05B108BD0F; Thu, 2 Sep 2021 12:44:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E5A7C2855A; Thu, 2 Sep 2021 12:44:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9D1D144A5A; Thu, 2 Sep 2021 12:44:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1826FHg8029493 for ; Thu, 2 Sep 2021 02:15:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id C57C820BDB29; Thu, 2 Sep 2021 06:15:17 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C038320BDB22 for ; Thu, 2 Sep 2021 06:15:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 93C2A811E76 for ; Thu, 2 Sep 2021 06:15:13 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-330-q41aXP2vM2eWw0Wws8VUgw-1; Thu, 02 Sep 2021 02:15:11 -0400 X-MC-Unique: q41aXP2vM2eWw0Wws8VUgw-1 Received: by mail-pg1-f171.google.com with SMTP id 17so848285pgp.4; Wed, 01 Sep 2021 23:15:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fVOFnyuoZQ8IgQ8vSzcLIqGgfJ/A+Pr9xSmovf/Rdwk=; b=OGCmP2Vq2KL5olNFePg0ZmUiX5jmfeTiG9r+oGq4V7ewG5UViUVYRUy11Nbel2Yjru G7c81PqKwn5wsX5yRL13peouki0zPcbJ2JarxWxtFvB9OsW6LfCW24ZmpfmYWwsni35Z 6BxQ4l0nO8uCdIilMKKo6Uk0KmSaxeU7SmqNfogAwsCr+gqtYr9CaVZbM4IPjdNvzBYx 9qztD7AzqQgwDlTN0d/DJi12kg1nvPeoDSIcixc3S+l2bcHtfmmqA8cO66qgLZhodX2P PM8byXnfOYZD0XnjVB6nLBdqli8kc9kvTWZ0K/0WHhdFTFwAStkTfSH2gjcjMEYwZU7s 8sTQ== X-Gm-Message-State: AOAM532vMOfEIBvp8KCm06gjTwXrTrg1LacOpn3WZ0Xl7Jijhapl2/Cp MmQNf+i0UX+RureeJDsSUwktcH7y/tAnESez X-Google-Smtp-Source: ABdhPJzYBUNPxrPL1wXur76jfcTwL19Ci8giuDMJpzKB8Pf1KEW19/NPAXqh3GhFHzcHvRFd5EByHg== X-Received: by 2002:a62:1453:0:b0:3fd:ffd5:35cf with SMTP id 80-20020a621453000000b003fdffd535cfmr1748596pfu.34.1630563310359; Wed, 01 Sep 2021 23:15:10 -0700 (PDT) Received: from jumpbox.ap-south-1.compute.internal (ec2-52-66-154-93.ap-south-1.compute.amazonaws.com. [52.66.154.93]) by smtp.gmail.com with ESMTPSA id n1sm894227pfv.209.2021.09.01.23.15.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Sep 2021 23:15:10 -0700 (PDT) From: Romesh Upadhyay To: linux-audit@redhat.com Subject: [PATCH] Update auditctl man page for new example on shell escaping. Date: Thu, 2 Sep 2021 06:14:44 +0000 Message-Id: <1630563284-2750-1-git-send-email-romupadh@gmail.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Thu, 02 Sep 2021 08:42:39 -0400 Cc: Romesh Upadhyay , achillesgaikwad@gmail.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit This commit will add additional example in auditctl(8) manpage which will help users to use shell escaping while defining the rules through auditctl command. As some characters require escaping when invoked from a shell. It is known issue that shell interpret '>' as redirection which results in auditctl giving errors like "-F missing operation for auid". Signed-off-by: Romesh Upadhyay --- docs/auditctl.8 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 8069259..e987452 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -317,6 +317,12 @@ To watch a file for changes (2 ways to express): .B auditctl \-a always,exit \-F path=/etc/shadow \-F perm=wa .fi +Using shell escaping in bash by defining '\' before '>' to avoid interpretation of special characters such as '>','<' as a file redirection: + +.nf +.B auditctl \-a exit,always \-F arch=b64 \-S fchmodat \-F auid\>=500 \-F auid\!=4294967295 \-k perm_mod +.fi + To recursively watch a directory for changes (2 ways to express): .nf -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit