[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

multiline entries in audit.rules



I just spent a chunk of time debugging an issue with my audit.rules
file.  So I just wanted to post here as (1) a feature request and (2)
a note for others that may be heading down this path.

The situation is that I have some longish lines in my
/etc/audit/audit.rules file.  So, to clean things up, I broke them
into multiple lines as follows...

Something like this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
auid>=1000 -F auid!=4294967295 -k perm_mod

Became this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \
    -F auid!=4294967295 -k perm_mod

This change, however, breaks the parsing by auditctl.

It would be nice to have the ability to have multiline entries in the
rules file.  But in the mean time, hopefully this note could help to
save someone else some time.

Cheers,
-bryan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]