[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] get dev value for inode audit records - take 3



* Erich Schubert (erich schubert gmail com) wrote:
> I tried to have it do what I want, but I wasn't successful.
> 
> A typical log line looks like this:
> type=KERNEL msg=audit(1109729446.695:310443): item=0
> name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
> uid=1000 gid=1000 rdev=00:00
> 
> Now I want to log only accesses to my IDE disk, so I tried
> 
> /usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3

devmajor is an exit filter.  So try something like:

/usr/local/sbin/auditctl -a entry,possible -S open
/usr/local/sbin/auditctl -a exit,always -S open -F devmajor=3

and let me know if that works?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]