audit 0.9.12 released
Loulwa Salem
loulwas at us.ibm.com
Thu Jun 23 17:47:52 UTC 2005
I don't seem to get the filtering on auid to work ...
I am attaching a test case so you can see how I am testing this ..
I am on kernel.65 and audit 0.9.12
Test strategy:
1- add filter rules for a user
2- add a watch on a file
3- create two temp users (my users have to be in Wheel trusted group in
4- order to ssh into the system .. may not apply to everybody).
5- spawn ssh session user1 at localhost and touch the watched file
6- Remove the file(so other user can touch it again)
7- spawn ssh session user2 at localhost and touch the watched file
8- stop auditd and copy the audit.log to a temp file (/tmp/loginuid_logs)
For Step 1 above, I tried the following scenarios:
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid!=uid1
or
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid=uid2
Neither seems to work .. in the log I still see watch records for open
on the watched file generated by both users!!
- Loulwa
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: filter-auid.c
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050623/fb9de5e7/attachment.c>
More information about the Linux-audit
mailing list