[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] get dev value for inode audit records - take 3


> I tested filtering, works as expected.  This generates something like:
> type=KERNEL msg=audit(1109726066.172:15813214): item=0 name=/etc/passwd inode=8916426 dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00

I tried to have it do what I want, but I wasn't successful.

A typical log line looks like this:
type=KERNEL msg=audit(1109729446.695:310443): item=0
name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
uid=1000 gid=1000 rdev=00:00

Now I want to log only accesses to my IDE disk, so I tried

/usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3

My current list of filters is then
AUDIT_LIST: entry always syscall=execve
AUDIT_LIST: entry always devmajor=3 (0x3) syscall=open
And only execs are logged afterwards.

This is with audit 0.6.4, 2.6.11rc4, with the patch you sent earlier
(only differences I could find is that in the patch I applied, ino=0
and not -1 in the 5th chunk, and the missing forward declaration in

Erich Schubert
    erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C    (o_
  To understand recursion you first need to understand recursion.   //\
  Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für   V_/_
        eine Stunde wie eine Heimat aus. --- Herrmann Hesse

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]