* [PATCH v1] add filesystem filter list to auditctl usage
@ 2021-10-28 19:49 Richard Guy Briggs
2021-10-28 21:15 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Richard Guy Briggs @ 2021-10-28 19:49 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs
The "filesystem" filter was added 2017-10-05 with
commit 38ec69344689ac7886812890cb3e2cc97c0c112c
("filter: add filesystem filter with fstype")
Add the list name to the usage text.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
docs/audit.rules.7 | 4 ++--
src/auditctl.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/audit.rules.7 b/docs/audit.rules.7
index 0325c153772d..40263ec6807d 100644
--- a/docs/audit.rules.7
+++ b/docs/audit.rules.7
@@ -43,7 +43,7 @@ rule.
.SS System Call
The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible.
-The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice.
+The Linux kernel has 5 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude and filesystem. The task list is checked only during the fork or clone syscalls. It is rarely used in practice.
The exit filter is the place where all syscall and file system audit requests are evaluated.
@@ -71,7 +71,7 @@ option tells the kernel's rule matching engine that we want to append a rule at
.RE
The action and list are separated by a comma but no space in between. Valid lists are:
-.IR task ", " exit ", " user ", and " exclude ". Their meaning was explained earlier.
+.IR task ", " exit ", " user ", " exclude ", and " filesystem ". Their meaning was explained earlier.
Next in the rule would normally be the
.B \-S
diff --git a/src/auditctl.c b/src/auditctl.c
index 06bb747c5fd2..f9bfc2a247d2 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -110,7 +110,7 @@ static void usage(void)
" -C f=f Compare collected fields if available:\n"
" Field name, operator(=,!=), field name\n"
" -d <l,a> Delete rule from <l>ist with <a>ction\n"
- " l=task,exit,user,exclude\n"
+ " l=task,exit,user,exclude,filesystem\n"
" a=never,always\n"
" -D Delete all rules and watches\n"
" -e [0..2] Set enabled flag\n"
--
2.27.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v1] add filesystem filter list to auditctl usage
2021-10-28 19:49 [PATCH v1] add filesystem filter list to auditctl usage Richard Guy Briggs
@ 2021-10-28 21:15 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2021-10-28 21:15 UTC (permalink / raw)
To: Linux-Audit Mailing List, Richard Guy Briggs
On Thursday, October 28, 2021 3:49:12 PM EDT Richard Guy Briggs wrote:
> The "filesystem" filter was added 2017-10-05 with
> commit 38ec69344689ac7886812890cb3e2cc97c0c112c
> ("filter: add filesystem filter with fstype")
>
> Add the list name to the usage text.
Thanks! Applied.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-28 21:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-28 19:49 [PATCH v1] add filesystem filter list to auditctl usage Richard Guy Briggs
2021-10-28 21:15 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).