Understanding The Audit Logs And Generating Reports - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

rules that are about to be added do not clash with any preexisting ones. The
auditctl -D command is also used before doing an autrace to avoid having
the trace rules clash with any rules present in the audit.rules file.
This rule deletes a system call rule. The -d option must precede any system call
rule that should be deleted from the rule queue and must match exactly.
This rule tells audit to discard the rule with the directory watch on /etc from
the rules queue. This rule deletes any rule containing a directory watch on /etc
regardless of any permission filtering or key options.
To get an overview of which rules are currently in use in your audit setup, run
auditctl -l. This command displays all rules with one rule per line.
Example 30.6 Listing Rules with auditctl -l
LIST_RULES: exit,always watch=/etc perm=rx
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa key=fk_passwd
LIST_RULES: exit,always watch=/etc/shadow perm=rwxa
LIST_RULES: entry,always syscall=mkdir
LIST_RULES: entry,always a1=4 (0x4) syscall=access
LIST_RULES: exit,always a0=2 (0x2) syscall=ipc
LIST_RULES: exit,always success!=0 syscall=open
NOTE: Creating Filter Rules
You can build very sophisticated audit rules by using the various filter options.
Refer to the auditctl(8) man page for more information about options
available for building audit filter rules and audit rules in general.
30.5 Understanding the Audit Logs
and Generating Reports
To understand what the aureport utility does, it is vital to know how the logs generated
by the audit daemon are structured and what exactly is recorded for an event. Only then
can you decide which report types are most appropriate for your needs.
Understanding Linux Audit 351