[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: linux auditd: Not getting log for chmod syscall



Just remove the quotes. It's only necessary when running auditctl directly from bash.

Regards,
Marcelo

On 01/18/2012 09:10 AM, bharat gupta wrote:
when i am using auid>=500 in quote like u have told -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
'auid>=500' -F auid!=4294967295 -k perm_mod

it is giving error :
#service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
-F unknown field: "auid
There was an error in line 102 of /etc/audit/audit.rules



On Sat, Jan 14, 2012 at 1:34 AM, Steve Grubb <sgrubb redhat com <mailto:sgrubb redhat com>> wrote:

    On Thursday, January 12, 2012 11:52:29 PM bharat gupta wrote:
    > I am using redhat 6, and trying to create logs for some system
    call using
    > the rule given below:
    >
    > *-a always,exit -F arch=b64  -S chmod -S fchmod -S fchmodat -F
    auid>=500
    >  -F auid!=4294967295 -k perm_mod*

    The rule works for me.

    # auditctl -a always,exit -F arch=b64  -S chmod -S fchmod -S
    fchmodat -F
    'auid>=500' -F auid!=4294967295 -k perm_mod

    I don't have any asterisk and I have single quote marks since bash
    will
    interpret the > as a redirection. But then doing a chmod command,
    it does pick
    up the fchmodat() syscall.


    > After running command chmod i was not able to get any log, but
    when i used
    > strace command i have seen that syscall have been called.
    > I also checked that auditd service is running properly.

    When you use auditctl -l, is the rule just like you expected?

    LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500
    (0x1f4) auid!=-1
    (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat

    It should just work unless you are on a distribution that does not
    really
    support auditing.

    -Steve




--
Bharat Gupta
IIT -Roorkee



--
Linux-audit mailing list
Linux-audit redhat com
https://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]