[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fwd: linux auditd: Not getting log for chmod syscall



On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote:
> >        Last time it was working for chmod but this time when i am
> >        trying to get log for open system call, i have made similar
> >        changes in rules but did not get any log can you suggest
> >        something. details are given below:

The rules below only record events where access is denied based on permission 
problems.


> >        *rules*:
> >
> >        -a always,exit -F arch=b32 -S creat -S open -S openat -S
> >        truncate -F exit=-EACCES -F auid!=4294967295 -k access
> >        -a always,exit -F arch=b32 -S creat -S open -S openat -S
> >        truncate -F exit=-EPERM -F auid!=4294967295 -k access
> >        -a always,exit -F arch=b64 -S creat -S open -S openat -S
> >        truncate -F exit=-EACCES -F auid!=4294967295 -k access
> >        -a always,exit -F arch=b64 -S creat -S open -S openat -S
> >        truncate -F exit=-EPERM -F auid!=4294967295 -k access
> >
> >        *strace output*: file have been attached named as "output for
> >        open sytem call.txt"
> >
> >
> >                              strace -o /root/open_output open w
> >        /root/test01

I don't see any strace. However, if open is succeeding, the above rules would 
not catch it. Or if its failing for any reason except a permission problem such 
as ENOEXIST the rules will not catch it.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]