audit in /selinux directory
Camilo Y. Campo
camilo at br.ibm.com
Fri Mar 9 19:31:32 UTC 2007
Hi All,
Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
Look at this example:
[root at alex tmp]# auditctl -w /selinux/disable
[root at alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root at alex tmp]# ausearch -i -f /selinux/disable
----
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) : cwd=/tmp
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023
key=(null)
The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?
Best Regards
--
Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo at br.ibm.com
More information about the Linux-audit
mailing list