auditd rules

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I want to add some new rules to the auditing system of Linux at file

for example, if I want to log the accesses to the squid log files thru
the following rule:

predicate is-squid-log = prefix(/var/log/squid)

tag "SQUID_logs"

syscall @file-ops = is-squid-log(arg0);

and reload service audit and test it reading one file at /var/log/squid
directory the audit system no log this access.

Is ok this rule?

Thank you in advance.

Other system config:

audit           0:desactivado   1:desactivado   2:activo        3:activo
        4:activo        5:activo        6:desactivado

dev.audit.debug = 0
dev.audit.paranoia = 0
dev.audit.max-messages = 1024
dev.audit.allow-suspend = 1
dev.audit.attach-all = 1

Site Timeline