audit.49 kernel
Steve Grubb
sgrubb at redhat.com
Wed May 25 17:29:59 UTC 2005
On Wednesday 25 May 2005 12:34, Timothy R. Chavez wrote:
> Schnikies. That's awfully suspicious. I'll look into this after lunch
Try this script with audit-0.9:
#!/bin/bash
while [ 1 ] ;
do
echo "Inserting..."
auditctl -w /etc/passwd -k fk_passwd -p rwea
auditctl -w /var/run/dbus/system_bus_socket -k dbus-test -p rwea
echo "Deleting..."
auditctl -D
done
Let it run in one window, check it after a few minutes. I always see stuff
like this:
[root at endeavor ~]# auditctl -l
AUDIT_LIST: entry always syscall=mkdir AUDIT_LIST: entry always syscall=kill
AUDIT_WATCH_LIST: dev=3:2, path=, filterkey=fk_passwd, perms=rwea, valid=0
[root at endeavor ~]# auditctl -D
Error sending list request (No such file or directory)
NLMSG_ERROR 2 (No such file or directory) type=2 seq=5
No watches
AUDIT_WATCH_LIST: dev=3:2, path=, filterkey=fk_passwd, perms=rwea, valid=0
Another...
[root at endeavor ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=3:2, path=, filterkey=fk_passwd, perms=rwea, valid=0
The common issue is that path= is empty???
This also deadlocked my computer once and I had to hit the reset button. No
oops. The mouse & keys did not work.
-Steve
More information about the Linux-audit
mailing list