Changeset 589


Ignore:
Timestamp:
10/23/11 16:13:03 (2 years ago)
Author:
sgrubb
Message:

Update the man pages a little

Location:
branches/1.8
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • branches/1.8/ChangeLog

    r587 r589  
    2121- Make audisp-remote robust 
    2222- Add 2 error returns to python bindings 
     23- Update the man pages a little 
    2324 
    24251.7.18 
  • branches/1.8/docs/audit_encode_nv_string.3

    r106 r589  
    1 .TH "AUDIT_ENCODE_NV_STRING" "3" "Sept 2008" "Red Hat" "Linux Audit API" 
     1.TH "AUDIT_ENCODE_NV_STRING" "3" "Oct 2010" "Red Hat" "Linux Audit API" 
    22.SH NAME 
    33audit_encode_nv_string \- encode a name/value pair in a string 
     
    55.B #include <libaudit.h> 
    66.sp 
    7 .B int audit_encode_nv_string(const char *name, const char *value, unsigned int vlen) 
     7.B char *audit_encode_nv_string(const char *name, const char *value, unsigned int vlen) 
    88 
    99.SH DESCRIPTION 
  • branches/1.8/docs/audit_log_acct_message.3

    r1 r589  
    1 .TH "AUDIT_LOG_ACCT_MESSAGE" "3" "Oct 2006" "Red Hat" "Linux Audit API" 
     1.TH "AUDIT_LOG_ACCT_MESSAGE" "3" "Oct 2010" "Red Hat" "Linux Audit API" 
    22.SH NAME 
    33audit_log_acct_message \- log a user account message 
     
    1919op  -  operation. Ex: "adding user", "changing finger info", "deleting group" 
    2020name - user's account or group name. If not available use NULL. 
    21 id  -  uid or gid that the operation is being performed on. This is used only when user is NULL. 
    22 host - The hostname if known 
    23 addr - The network address of the user 
     21id  -  uid or gid that the operation is being performed on. If the user is unknown, pass a -1 and fill in the name parameter. This is used only when user is NULL. 
     22host - The hostname if known. If not available pass a NULL. 
     23addr - The network address of the user. If not available pass a NULL. 
    2424tty  - The tty of the user, if NULL will attempt to figure out 
    2525result - 1 is "success" and 0 is "failed" 
  • branches/1.8/docs/auditctl.8

    r441 r589  
    1 .TH AUDITCTL: "8" "Nov 2008" "Red Hat" "System Administration Utilities" 
     1.TH AUDITCTL: "8" "Feb 2011" "Red Hat" "System Administration Utilities" 
    22.SH NAME 
    33auditctl \- a utility to assist controlling the kernel's audit system 
     
    3131.TP 
    3232.BI \-m\  text 
    33 Send a user space message into the audit system. This can only be done by the root user. 
     33Send a user space message into the audit system. This can only be done if you have CAP_AUDIT_WRITE capability (normally the root user has this). The resulting event will be the USER type. 
    3434.TP 
    3535\fB\-p\fP [\fBr\fP|\fBw\fP|\fBx\fP|\fBa\fP] 
    36 Set permissions filter for a file system watch. \fBr\fP=read, \fBw\fP=write, \fBx\fP=execute, \fBa\fP=attribute change. These permissions are not the standard file permissions, but rather the kind of syscall that would do this kind of thing. The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested. 
     36Describe the permission access type that a file system watch will trigger on. \fBr\fP=read, \fBw\fP=write, \fBx\fP=execute, \fBa\fP=attribute change. These permissions are not the standard file permissions, but rather the kind of syscall that would do this kind of thing. The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested. 
    3737.TP 
    3838.BI \-q\  mount-point,subtree 
     
    8585.TP 
    8686.BI \-d\  list , action 
    87 Delete rule from \fIlist\fP with \fIaction\fP. The rule is deleted only if it exactly matches syscall name and field names. 
     87Delete rule from \fIlist\fP with \fIaction\fP. The rule is deleted only if it exactly matches syscall name(s) and every field name and value. 
    8888.TP 
    8989.B \-D 
     
    9191.TP 
    9292\fB\-S\fP [\fISyscall name or number\fP|\fBall\fP] 
    93 Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may also be used.  If this syscall is made by a program, then start an audit record. If a field rule is given and no syscall is specified, it will default to all syscalls. You may also specify multiple syscalls in the same rule by using multiple -S options in the same rule. Doing so improves performance since fewer rules need to be evaluated. If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that, for example, the open syscall has the same number on both 32 and 64 bit interfaces. You may want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. 
     93Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may also be used.  If the given syscall is made by a program, then start an audit record. If a field rule is given and no syscall is specified, it will default to all syscalls. You may also specify multiple syscalls in the same rule by using multiple -S options in the same rule. Doing so improves performance since fewer rules need to be evaluated. If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that, for example, the open syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info. 
    9494.TP 
    9595\fB\-F\fP [\fIn\fP\fB=\fP\fIv\fP | \fIn\fP\fB!=\fP\fIv\fP | \fIn\fP\fB<\fP\fIv\fP | \fIn\fP\fB>\fP\fIv\fP | \fIn\fP\fB<=\fP\fIv\fP | \fIn\fP\fB>=\fP\fIv\fP | \fIn\fP\fB&\fP\fIv\fP | \fIn\fP\fB&=\fP\fIv\fP] 
     
    147147.TP 
    148148.B msgtype 
    149 This is used to match the message type number. It should only be used on the exclude filter list. 
     149This is used to match the event's record type. It should only be used on the exclude filter list. 
    150150.TP 
    151151.B obj_user 
     
    165165.TP 
    166166.B path 
    167 Full Path of File to watch. Should only be used on exit list. 
     167Full Path of File to watch. It can only be used on exit list. 
    168168.TP 
    169169.B perm 
    170 Permission filter for file operations. See "\fB\-p\fP". Should only be used on exit list. You can use this without specifying a syscall and the kernel will select the syscalls that satisfy the permissions being requested. 
     170Permission filter for file operations. See "\fB\-p\fP". It can only be used on exit list. You can use this without specifying a syscall and the kernel will select the syscalls that satisfy the permissions being requested. 
    171171.TP 
    172172.B pers 
     
    211211.TP 
    212212.BI \-W\  path 
    213 Remove a watch for the file system object at \fIpath\fP. 
     213Remove a watch for the file system object at \fIpath\fP. The rule must match exactly. See \fB-d\fP discussion for more info. 
    214214.SH "PERFORMANCE TIPS" 
    215 Syscall rules get evaluated for each syscall for each program. If you have 10 syscall rules, every program on your system will delay during a syscall while the audit system evaluates each one. Too many syscall rules will hurt performance. Try to combine as many as you can whenever the filter, action, key, and fields are identical. For example: 
     215Syscall rules get evaluated for each syscall for every program. If you have 10 syscall rules, every program on your system will delay during a syscall while the audit system evaluates each rule. Too many syscall rules will hurt performance. Try to combine as many as you can whenever the filter, action, key, and fields are identical. For example: 
    216216 
    217217.nf 
     
    239239 
    240240.nf 
    241 .B auditctl \-a entry,always \-S all \-F pid=1005 
     241.B auditctl \-a exit,always \-S all \-F pid=1005 
    242242.fi 
    243243 
  • branches/1.8/docs/auditd.conf.5

    r430 r589  
    187187If set to 
    188188.IR ignore , 
    189 the audit daemon does nothing. 
     189the audit daemon will issue a syslog message but no other action is taken. 
    190190.I Syslog 
    191191means that it will issue a warning to syslog. 
     
    205205If set to 
    206206.IR ignore , 
    207 the audit daemon does nothing. 
     207the audit daemon will issue a syslog message but no other action is taken. 
    208208.I Syslog 
    209209means that it will issue a warning to syslog. 
     
    221221causes auditd to listen on the corresponding TCP port for audit 
    222222records from remote systems. The audit daemon may be linked with 
    223 tcp_wrappers. You may want to controll access with an entry in the 
     223tcp_wrappers. You may want to control access with an entry in the 
    224224hosts.allow and deny files. 
    225225.TP 
Note: See TracChangeset for help on using the changeset viewer.