[PATCH] get dev value for inode audit records - take 3
Chris Wright
chrisw at osdl.org
Wed Mar 2 04:20:59 UTC 2005
* Erich Schubert (erich.schubert at gmail.com) wrote:
> I tried to have it do what I want, but I wasn't successful.
>
> A typical log line looks like this:
> type=KERNEL msg=audit(1109729446.695:310443): item=0
> name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
> uid=1000 gid=1000 rdev=00:00
>
> Now I want to log only accesses to my IDE disk, so I tried
>
> /usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3
devmajor is an exit filter. So try something like:
/usr/local/sbin/auditctl -a entry,possible -S open
/usr/local/sbin/auditctl -a exit,always -S open -F devmajor=3
and let me know if that works?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list