* -F perm in audit rules
@ 2020-09-08 23:02 Gabriel Alford
2020-09-09 18:03 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Gabriel Alford @ 2020-09-08 23:02 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 551 bytes --]
Hello,
By default, does auditd audit read, write, execute, and attribute in audit
rules or do you need to specify
-F perm=wxra ?
For example,
-a always,exit -F path=/usr/bin/at -F perm=wrxa
vs
-a always,exit -F path=/usr/bin/at
Thanks and let me know if what I am asking doesn't make sense.
Gabriel Alford
Member of the technical staff
office of the chief technologist
red hat Public Sector
Red Hat
<https://www.redhat.com>
ralford@redhat.com T: 972-707-6483 <650-254-4391> M: 303-550-7234
<https://red.ht/sig> <https://red.ht/sig>
[-- Attachment #1.2: Type: text/html, Size: 4009 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: -F perm in audit rules
2020-09-08 23:02 -F perm in audit rules Gabriel Alford
@ 2020-09-09 18:03 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-09-09 18:03 UTC (permalink / raw)
To: linux-audit; +Cc: Gabriel Alford
On Tuesday, September 8, 2020 7:02:01 PM EDT Gabriel Alford wrote:
> Hello,
>
> By default, does auditd audit read, write, execute, and attribute in audit
> rules or do you need to specify
> -F perm=wxra ?
>
> For example,
>
> -a always,exit -F path=/usr/bin/at -F perm=wrxa
>
> vs
>
> -a always,exit -F path=/usr/bin/at
They are equivalent. Specifying -F perm= is so that you can fine tune what you
want instead of everything.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-09 18:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-08 23:02 -F perm in audit rules Gabriel Alford
2020-09-09 18:03 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).