[PATCH] get dev value for inode audit records - take 3
Erich Schubert
erich.schubert at gmail.com
Wed Mar 2 02:36:12 UTC 2005
Hi,
> I tested filtering, works as expected. This generates something like:
>
> type=KERNEL msg=audit(1109726066.172:15813214): item=0 name=/etc/passwd inode=8916426 dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00
I tried to have it do what I want, but I wasn't successful.
A typical log line looks like this:
type=KERNEL msg=audit(1109729446.695:310443): item=0
name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
uid=1000 gid=1000 rdev=00:00
Now I want to log only accesses to my IDE disk, so I tried
/usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3
My current list of filters is then
AUDIT_LIST: entry always syscall=execve
AUDIT_LIST: entry always devmajor=3 (0x3) syscall=open
And only execs are logged afterwards.
This is with audit 0.6.4, 2.6.11rc4, with the patch you sent earlier
(only differences I could find is that in the patch I applied, ino=0
and not -1 in the 5th chunk, and the missing forward declaration in
audit.h)
Greetings,
Erich Schubert
--
erich@(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
More information about the Linux-audit
mailing list