Linux ENTERPRISE 10 SP1 - THE AUDIT Manual page 22

add an audit context to this system call when entering it and write out a report as
soon as the call exits.
This rule adds an audit context to the IPC multiplexed system call. The specific
ipc system call is passed as the first syscall argument and can be selected using
-F a0=ipc_call_number.
This rule audits failed attempts to call open.
This rule is an example of a task rule (keyword: task). It is different from the
other rules above in that it applies to processes that are forked or cloned. To filter
these kind of events, you can only use fields that are known at fork time, such as
UID, GID, and AUID. This example rule filters for all tasks carrying an audit ID
of 0.
This last rule makes heavy use of filters. All filter options are combined with a
logical AND operator, meaning that this rule applies to all tasks that carry the
audit ID of 501, have changed to run as root, and have wheel as the group. A
process is given an audit ID on user login. This ID is then handed down to any
child process started by the initial process of the user. Even if the user changes
his identity, the audit ID stays the same and allows tracing actions to the original
user.
TIP: Filtering System Call Arguments
For more details on filtering system call arguments, refer to
ing System Call Arguments"
You can not only add rules to the audit system, but also remove them. Delete rules are
used to purge the rule queue of rules that might potentially clash with those you want
to add. There are different methods for deleting the entire rule set at once or for deleting
system call rules or file and directory watches:
Example 1.5 Deleting Audit Rules and Events
-D
-d entry,always -S mkdir
-W /etc
Clear the queue of audit rules and delete any preexisting rules. This rule is used
as the first rule in /etc/audit.rules files to make sure that the rules that
are about to be added do not clash with any preexisting ones. The auditctl
14 The Linux Audit Framework
(page 54).
Section 3.6, "Filter-