How to capture mount event in /var/log/audit/audit.log
Peter Moody
pmoody at google.com
Mon Jul 9 21:30:11 UTC 2012
On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty at gmail.com> wrote:
> Hi Linda
>
> Thanks for the response,
>>> $ mount /dev/hdc /dev/cdrom
>>> mount: only root can do that
>
> $ strace mount
> shows a few lines plus the following:
> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
> (Permission denied)
>
> Then the root window that has tail -f /var/log/audit/audit.log
> does capture unsuccessful mount with exit=-13
>
> I need /var/log/audit/audit.log to be able to capture the mount event
> automatically without strace intervention.
On my system, I see no difference WRT audit.log between 'mount' &
'strace mount'; neither ends up calling the mount system call so
neither generates an audit log.
Cheers,
peter
> Betty
>
> ---------- Forwarded message ----------
> From: Betty Man <man.bty at gmail.com>
> Date: Fri, Jul 6, 2012 at 10:53 PM
> Subject: capture mount event in /var/log/audit/audit.log
> To: linux-audit at redhat.com
>
>
> Hi Everyone,
>
> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
>
> Have the following in the /etc/audit/audit.rules
> ## non-privilege users using mount command.
> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>
> from a general user account
>
> $ mount /dev/hdc /dev/cdrom
> mount: only root can do that
>
> but /var/log/audit/audit.log does not capture this event
>
> Any input is much appreciated!
>
> Thanks in advance
>
> Betty
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list