Fwd: linux auditd: Not getting log for chmod syscall
Steve Grubb
sgrubb at redhat.com
Tue Jan 24 16:03:11 UTC 2012
On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote:
> > Last time it was working for chmod but this time when i am
> > trying to get log for open system call, i have made similar
> > changes in rules but did not get any log can you suggest
> > something. details are given below:
The rules below only record events where access is denied based on permission
problems.
> > *rules*:
> >
> > -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > truncate -F exit=-EACCES -F auid!=4294967295 -k access
> > -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > truncate -F exit=-EPERM -F auid!=4294967295 -k access
> > -a always,exit -F arch=b64 -S creat -S open -S openat -S
> > truncate -F exit=-EACCES -F auid!=4294967295 -k access
> > -a always,exit -F arch=b64 -S creat -S open -S openat -S
> > truncate -F exit=-EPERM -F auid!=4294967295 -k access
> >
> > *strace output*: file have been attached named as "output for
> > open sytem call.txt"
> >
> >
> > strace -o /root/open_output open w
> > /root/test01
I don't see any strace. However, if open is succeeding, the above rules would
not catch it. Or if its failing for any reason except a permission problem such
as ENOEXIST the rules will not catch it.
-Steve
More information about the Linux-audit
mailing list