утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)
CONFIGURATION OPTIONS
-b backlog
Set max number (limit) of outstanding audit buffers
allowed (Kernel Default=64) If all buffers are full, the
failure flag is consulted by the kernel for action.
--backlog_wait_time wait_time
Set the time for the kernel to wait (Kernel Default 60*HZ)
when the backlog limit is reached before queuing more
audit events to be transferred to auditd. The number must
be greater than or equal to zero and less that 10 times
the default value.
--reset_backlog_wait_time_actual
Reset the actual backlog wait time counter shown by the
status command.
-c Continue loading rules in spite of an error. This
summarizes the results of loading the rules. The exit code
will not be success if any rule fails to load.
-D Delete all rules and watches. This can take a key option
(-k), too.
-e [0..2]
Set enabled flag. When 0 is passed, this can be used to
temporarily disable auditing. When 1 is passed as an
argument, it will enable auditing. To lock the audit
configuration so that it can't be changed, pass a 2 as the
argument. Locking the configuration is intended to be the
last command in audit.rules for anyone wishing this
feature to be active. Any attempt to change the
configuration in this mode will be audited and denied. The
configuration can only be changed by rebooting the
machine.
-f [0..2]
Set failure mode 0=silent 1=printk 2=panic. This option
lets you determine how you want the kernel to handle
critical errors. Example conditions where this mode may
have an effect includes: transmission errors to userspace
audit daemon, backlog limit exceeded, out of kernel
memory, and rate limit exceeded. The default value is 1.
Secure environments will probably want to set this to 2.
-h Help
-i When given by itself, ignore errors when reading rules
from a file. This causes auditctl to always return a
success exit code. If passed as an argument to -s then it
gives an interpretation of the numbers to human readable
words if possible.
--loginuid-immutable
This option tells the kernel to make loginuids
unchangeable once they are set. Changing loginuids
requires CAP_AUDIT_CONTROL. So, its not something that can
be done by unprivileged users. Setting this makes loginuid
tamper-proof, but can cause some problems in certain kinds
of containers.
-q mount-point,subtree
If you have an existing directory watch and bind or move
mount another subtree in the watched subtree, you need to
tell the kernel to make the subtree being mounted
equivalent to the directory being watched. If the subtree
is already mounted at the time the directory watch is
issued, the subtree is automatically tagged for watching.
Please note the comma separating the two values. Omitting
it will cause errors.
-r rate
Set limit in messages/sec (0=none). If this rate is non-
zero and is exceeded, the failure flag is consulted by the
kernel for action. The default value is 0.
--reset-lost
Reset the lost record counter shown by the status command.
-R file
Read rules from a file. The rules must be 1 per line and
in the order that they are to be executed in. The rule
file must be owned by root and not readable by other users
or it will be rejected. The rule file may have comments
embedded by starting the line with a '#' character. Rules
that are read from a file are identical to what you would
type on a command line except they are not preceded by
auditctl (since auditctl is the one executing the file)
and you would not use shell escaping since auditctl is
reading the file instead of bash.
--signal signal
Send a signal to the audit daemon. You must have
privileges to do this. Supported signals are TERM, HUP,
USR1, USR2, CONT.
-t Trim the subtrees after a mount command.
