-F perm in audit rules

-F perm in audit rules

[Gabriel Alford]

[-- Attachment #1.1: Type: text/plain, Size: 551 bytes --]

Hello,

By default, does auditd audit read, write, execute, and attribute in audit
rules or do you need to specify
-F perm=wxra ?

For example,

-a always,exit -F path=/usr/bin/at -F perm=wrxa

vs

-a always,exit -F path=/usr/bin/at

Thanks and let me know if what I am asking doesn't make sense.

Gabriel Alford

Member of the technical staff

office of the chief technologist

red hat Public Sector

Red Hat

<https://www.redhat.com>

ralford@redhat.com    T: 972-707-6483 <650-254-4391>    M: 303-550-7234
<https://red.ht/sig> <https://red.ht/sig>

[-- Attachment #1.2: Type: text/html, Size: 4009 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: -F perm in audit rules

[Steve Grubb]

On Tuesday, September 8, 2020 7:02:01 PM EDT Gabriel Alford wrote:
> Hello,
> 
> By default, does auditd audit read, write, execute, and attribute in audit
> rules or do you need to specify
> -F perm=wxra ?
> 
> For example,
> 
> -a always,exit -F path=/usr/bin/at -F perm=wrxa
> 
> vs
> 
> -a always,exit -F path=/usr/bin/at

They are equivalent. Specifying -F perm= is so that you can fine tune what you 
want instead of everything.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit