AuditD module - right usage and syntax of -q flag in auditd rules

Lukas_Hubl · September 23, 2022, 10:52am

Hi,
I would like to use -q flag in auditd rule, but the rule with the -q flag is not working or even added into the rules list.
I have rule like this:
-a always,exit -F path=/home/lukashubl/ -q /home/lukashubl/dirtest,/home/lukashubl/dirtest/bin -F perm=rwxa
I am using auditbeat and I am getting this error:
flag provided but not defined: -q accessing '0'
I also tried to test the rule with auditctl: auditctl -a always,exit -F path=/home/lukashubl/ -q /home/lukashubl/dirtest,/home/lukashubl/dirtest/bin -F perm=rwxa
But when I list all rules by auditcl -l, the rule is not there and no error at output.

What is the right syntax and usage of -q flag in auditd rule?

system · October 21, 2022, 12:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is Auditbeat audit syntax to exclude a process or path? Beats auditbeat	2	1648	February 19, 2022
Auditbeat - auditd module default rules Beats auditbeat	2	423	September 29, 2022
Multiple "-module: auditd" stanzas in config file lead to problems Beats auditbeat	1	306	September 18, 2021
Delete audit rules on server Beats auditbeat	4	351	January 4, 2024
Auditbeat do not delete correctly Beats auditbeat	1	459	March 21, 2022

AuditD module - right usage and syntax of -q flag in auditd rules

Related topics