Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   auditctl    ( 8 )

утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)

Примеры (Examples)

To see all syscalls made by a specific program:


       # By pid:
       auditctl -a always,exit -S all -F pid=1005
       # By executable path
       auditctl -a always,exit -S all -F exe=/usr/bin/ls


       To see files opened by a specific user:


       auditctl -a always,exit -S openat -F auid=510


       To see unsuccessful openat calls:


       auditctl -a always,exit -S openat -F success=0


       To watch a file for changes (2 ways to express):


       auditctl -w /etc/shadow -p wa
       auditctl -a always,exit -F path=/etc/shadow -F perm=wa


       To recursively watch a directory for changes (2 ways to express):


       auditctl -w /etc/ -p wa
       auditctl -a always,exit -F dir=/etc/ -F perm=wa


       To see if an admin is accessing other user's files:


       auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid