'auditctl -l' output is different between different auditd version












0















I need to match a regex against the output of 'auditctl -l' command.
From the several checks I conducted I saw a difference in output convention writing in different audit versions (for the same audit rules):




  • On Ubuntu 18.04 with auditd 1.7.18 I got the following output for 'auditctl -l':




    LIST_RULES: exit,always dir=/var/lib/docker (0xf) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker perm=rwxa key=docker 

    LIST_RULES: exit,always dir=/etc/docker (0xb) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.service perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.socket perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/default/docker perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/docker/daemon.json perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-containerd perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-runc perm=rwxa key=docker



  • On Ubuntu 18.04 with auditd 2.8.2 I got the following output for 'auditctl -l':




    -w /usr/bin/docker -p rwxa -k docker 

    -w /var/lib/docker -p rwxa -k docker 

    -w /etc/docker -p rwxa -k docker 

    -w /lib/systemd/system/docker.service -p rwxa -k docker 

    -w /lib/systemd/system/docker.socket -p rwxa -k docker 

    -w /etc/default/docker -p rwxa -k docker 

    -w /etc/docker/daemon.json -p rwxa -k docker 

    -w /usr/bin/docker-containerd -p rwxa -k docker 

    -w /usr/bin/docker-runc -p rwxa -k docker


Are there other options for output writing convention? Maybe in other Linux distributions? And how can I know (is there a manual or other documentation)?






linux audit linux-audit







share|improve this question

























  • perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

    – Thomas Dickey
    Jan 9 at 21:50
















0















I need to match a regex against the output of 'auditctl -l' command.
From the several checks I conducted I saw a difference in output convention writing in different audit versions (for the same audit rules):




  • On Ubuntu 18.04 with auditd 1.7.18 I got the following output for 'auditctl -l':




    LIST_RULES: exit,always dir=/var/lib/docker (0xf) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker perm=rwxa key=docker 

    LIST_RULES: exit,always dir=/etc/docker (0xb) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.service perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.socket perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/default/docker perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/docker/daemon.json perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-containerd perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-runc perm=rwxa key=docker



  • On Ubuntu 18.04 with auditd 2.8.2 I got the following output for 'auditctl -l':




    -w /usr/bin/docker -p rwxa -k docker 

    -w /var/lib/docker -p rwxa -k docker 

    -w /etc/docker -p rwxa -k docker 

    -w /lib/systemd/system/docker.service -p rwxa -k docker 

    -w /lib/systemd/system/docker.socket -p rwxa -k docker 

    -w /etc/default/docker -p rwxa -k docker 

    -w /etc/docker/daemon.json -p rwxa -k docker 

    -w /usr/bin/docker-containerd -p rwxa -k docker 

    -w /usr/bin/docker-runc -p rwxa -k docker


Are there other options for output writing convention? Maybe in other Linux distributions? And how can I know (is there a manual or other documentation)?






linux audit linux-audit







share|improve this question

























  • perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

    – Thomas Dickey
    Jan 9 at 21:50














0












0








0








I need to match a regex against the output of 'auditctl -l' command.
From the several checks I conducted I saw a difference in output convention writing in different audit versions (for the same audit rules):




  • On Ubuntu 18.04 with auditd 1.7.18 I got the following output for 'auditctl -l':




    LIST_RULES: exit,always dir=/var/lib/docker (0xf) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker perm=rwxa key=docker 

    LIST_RULES: exit,always dir=/etc/docker (0xb) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.service perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.socket perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/default/docker perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/docker/daemon.json perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-containerd perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-runc perm=rwxa key=docker



  • On Ubuntu 18.04 with auditd 2.8.2 I got the following output for 'auditctl -l':




    -w /usr/bin/docker -p rwxa -k docker 

    -w /var/lib/docker -p rwxa -k docker 

    -w /etc/docker -p rwxa -k docker 

    -w /lib/systemd/system/docker.service -p rwxa -k docker 

    -w /lib/systemd/system/docker.socket -p rwxa -k docker 

    -w /etc/default/docker -p rwxa -k docker 

    -w /etc/docker/daemon.json -p rwxa -k docker 

    -w /usr/bin/docker-containerd -p rwxa -k docker 

    -w /usr/bin/docker-runc -p rwxa -k docker


Are there other options for output writing convention? Maybe in other Linux distributions? And how can I know (is there a manual or other documentation)?






linux audit linux-audit







share|improve this question
















I need to match a regex against the output of 'auditctl -l' command.
From the several checks I conducted I saw a difference in output convention writing in different audit versions (for the same audit rules):




  • On Ubuntu 18.04 with auditd 1.7.18 I got the following output for 'auditctl -l':




    LIST_RULES: exit,always dir=/var/lib/docker (0xf) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker perm=rwxa key=docker 

    LIST_RULES: exit,always dir=/etc/docker (0xb) perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.service perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/lib/systemd/system/docker.socket perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/default/docker perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/etc/docker/daemon.json perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-containerd perm=rwxa key=docker 

    LIST_RULES: exit,always watch=/usr/bin/docker-runc perm=rwxa key=docker



  • On Ubuntu 18.04 with auditd 2.8.2 I got the following output for 'auditctl -l':




    -w /usr/bin/docker -p rwxa -k docker 

    -w /var/lib/docker -p rwxa -k docker 

    -w /etc/docker -p rwxa -k docker 

    -w /lib/systemd/system/docker.service -p rwxa -k docker 

    -w /lib/systemd/system/docker.socket -p rwxa -k docker 

    -w /etc/default/docker -p rwxa -k docker 

    -w /etc/docker/daemon.json -p rwxa -k docker 

    -w /usr/bin/docker-containerd -p rwxa -k docker 

    -w /usr/bin/docker-runc -p rwxa -k docker


Are there other options for output writing convention? Maybe in other Linux distributions? And how can I know (is there a manual or other documentation)?






linux audit linux-audit




linux audit linux-audit






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 9 at 21:47









Thomas Dickey

52.4k595166




52.4k595166










asked Jan 9 at 16:03









user330619user330619

1




1













  • perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

    – Thomas Dickey
    Jan 9 at 21:50



















  • perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

    – Thomas Dickey
    Jan 9 at 21:50

















perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

– Thomas Dickey
Jan 9 at 21:50





perhaps you didn't mean Ubuntu in the first bullet, since that's an old version. The developers of auditd don't give a lot of documentation, in any case.

– Thomas Dickey
Jan 9 at 21:50










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493490%2fauditctl-l-output-is-different-between-different-auditd-version%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493490%2fauditctl-l-output-is-different-between-different-auditd-version%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-