From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: auditctl usage for filter lists: "user" , "watch" and "exclude"
Date: Thu, 18 May 2006 09:47:49 -0500
Message-ID: <446C8915.20606@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IEm07f005614
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:48:00 -0400
Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IElwRq009689
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:47:58 -0400
Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com
	[9.17.195.106])
	by e31.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4IElq4Y015183
	for <linux-audit@redhat.com>; Thu, 18 May 2006 10:47:52 -0400
Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169])
	by d03relay04.boulder.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k4IElqan183804
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:47:52 -0600
Received: from d03av03.boulder.ibm.com (loopback [127.0.0.1])
	by d03av03.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id
	k4IElqBa015521
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:47:52 -0600
Received: from [127.0.0.1] (pendarric.austin.ibm.com [9.41.46.77])
	by d03av03.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id
	k4IElpdb015500
	for <linux-audit@redhat.com>; Thu, 18 May 2006 08:47:52 -0600
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hey all,

I'm trying to understand better the user, watch and exclude auditctl 
filter lists. I believe I have a reasonable understanding of exclude 
from some examples Steve gave (see below), but I have very little idea 
of how user is meant to be used, and none about watch.

Any enlightenment will be helpful.

For the exclude list,

exclude,always -F msgtype=SYSCALL

seems to be the only valid structure, where msgtype can be any value 
(XXX) for the type in the audit.log? (where the 1st field in the audit 
log is type=XXX)

Are there more filters that apply? (and does it have any meaning without 
a filter?)

Any examples and/or explanations on "user" and "watch" would be appriciated.

Thanks,
Mike