[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: linux auditd: Not getting log for chmod syscall



On Thursday, January 12, 2012 11:52:29 PM bharat gupta wrote:
> I am using redhat 6, and trying to create logs for some system call using
> the rule given below:
> 
> *-a always,exit -F arch=b64  -S chmod -S fchmod -S fchmodat -F auid>=500
>  -F auid!=4294967295 -k perm_mod*

The rule works for me.

# auditctl -a always,exit -F arch=b64  -S chmod -S fchmod -S fchmodat -F 
'auid>=500' -F auid!=4294967295 -k perm_mod

I don't have any asterisk and I have single quote marks since bash will 
interpret the > as a redirection. But then doing a chmod command, it does pick 
up the fchmodat() syscall.


> After running command chmod i was not able to get any log, but when i used
> strace command i have seen that syscall have been called.
> I also checked that auditd service is running properly.

When you use auditctl -l, is the rule just like you expected?

LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 
(0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat

It should just work unless you are on a distribution that does not really 
support auditing.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]