This commit will add additional example in auditctl(8) manpage which will help users to use shell escaping while defining the rules through auditctl command. As some characters require escaping when invoked from a shell. It is known issue that shell interpret '>' as redirection which results in auditctl giving errors like "-F missing operation for auid".
Signed-off-by: Romesh Upadhyay <[email protected]> --- docs/auditctl.8 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 8069259..e987452 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -317,6 +317,12 @@ To watch a file for changes (2 ways to express): .B auditctl \-a always,exit \-F path=/etc/shadow \-F perm=wa .fi +Using shell escaping in bash by defining '\' before '>' to avoid interpretation of special characters such as '>','<' as a file redirection: + +.nf +.B auditctl \-a exit,always \-F arch=b64 \-S fchmodat \-F auid\>=500 \-F auid\!=4294967295 \-k perm_mod +.fi + To recursively watch a directory for changes (2 ways to express): .nf -- 1.8.3.1 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
