ausearch_add_regex - Linux

Overview

ausearch_add_regex is a command-line utility used to add regular expression filters to auditd (the Linux audit daemon) rules. It allows users to define custom filters that match specific event data, providing more granular control over the audit trail.

Syntax

ausearch_add_regex <regex> <fieldname> <operator> <value> [<options>]

Parameters:

• <regex>: Regular expression to match against the specified field.
• <fieldname>: Field name to match against (e.g., msg, exe, uid).
• <operator>: Operator to use for comparison (e.g., =, !=, ~).
• <value>: Value to compare against the field.

Options/Flags

• -t, –test: Test the filter without actually adding it.
• -l, –limit: Limit the number of matches.
• -f, –file: Output matches to the specified file.
• -c, –cron: Output results in cron-like format.
• -h, –help: Display help.

Examples

Simple Regex Filter:

ausearch_add_regex ".*user.*" msg = root

This filter will match all events with the string "user" in the message field, where the user is root.

Complex Regex Filter:

ausearch_add_regex "^.*/bin/bash" exe != 0x0 [-t]

This filter will test whether any event has a program executable path that matches "/bin/bash" but has a non-zero return code.

Common Issues

• Incorrect syntax: Ensure the command is invoked with the correct syntax. Missing or incorrect arguments can lead to errors.
• Invalid regular expression: Verify that the provided regular expression is syntactically valid and matches the intended pattern.
• Permission denied: Make sure you have sufficient privileges to modify audit rules (typically requires root or sudo).

Integration

Combining with Other Commands:

• ausearch: Use ausearch with the added filter to search for matching events:

ausearch -se msg

• aureport: Generate reports based on the filtered events:

aureport -f <filter_name>

Related Commands

• aureport: Generates audit reports.
• ausearch: Searches for audit events.
• auditctl: Modifies audit rules.