[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: questions about auditing on a new RH 6 box



On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.

This is coming from:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F 
auid=0 -F exit!=-11

Which says, audit mknod calls that are not successful and who's errno does not equal 
EAGAIN for anyone that logged in as root.

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
auid=-1 -F exit!=-11

Which says audit mknod calls that are not successful, its a system event meaning not 
coming from a user session, and the exit code is not EAGAIN.

#Ensure that failed attempts at using the following system calls are
 audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F 
exit!=-11

Which says audit mknod calls that are successful and the exit code is not EAGAIN.

Are you sure this is what you intended? 

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]