Basic audit test fails
Amy Griffis
amy.griffis at hp.com
Thu Mar 23 22:01:28 UTC 2006
On Wed, Mar 22, 2006 at 01:41:21PM -0700, Stephen J. Smoogen wrote:
> I have my notes correct). I am not sure that the below would work
> without the file patches.
The functionality Steve B is inquiring about is unrelated to the
filesystem audit patches. If you use the 'uid' field instead of
'loginuid', you will see the records you expect, e.g.:
auditctl -a exit,always -S open -F uid=600
Filtering with 'uid' is based on the user actually executing the open
operation. Filtering with 'loginuid' (called auid in the audit log)
is based on the user id used to gain access to the system, although
they may be opening the file as another user.
Records will be logged in different situations based on your choice of
these filter fields. Of course, even if you don't want to filter
based on loginuid, it would be good to ensure it is being collected by
audit, as others have suggested.
>
> > Second, I tried a basic test to audit files opened by a specific user (per
> > the auditctl man page) but it doesn't seem to work:
> >
>
> --
> Stephen J Smoogen.
> CSIRT/Linux System Administrator
More information about the Linux-audit
mailing list