[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to capture mount event in /var/log/audit/audit.log



It's probably because the mount(8) program fails -- apparently because
you are not root -- before it gets to call the mount(2) syscall. That
is why you don't see the mount syscall in either strace output or
audit log. Try running your mount command as root.

On Mon, Jul 9, 2012 at 5:35 PM, Linda Knippers <linda knippers hp com> wrote:
> Peter Moody wrote:
>> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man bty gmail com> wrote:
>>> Hi Linda
>>>
>>> Thanks for the response,
>>>>> $ mount /dev/hdc /dev/cdrom
>>>>> mount: only root can do that
>>> $ strace mount
>>> shows a few lines plus the following:
>>>  open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>>> (Permission denied)
>>>
>>> Then the root window  that has tail -f /var/log/audit/audit.log
>>> does capture unsuccessful mount with exit=-13
>>>
>>> I need /var/log/audit/audit.log to be able to capture the mount event
>>> automatically  without strace intervention.
>>
>> On my system, I see no difference WRT audit.log between 'mount' &
>> 'strace mount'; neither ends up calling the mount system call so
>> neither generates an audit log.
>
> Same for me.
>
> Betty, what does your audit record look like?
>
> As it stands today with syscall auditing, I suspect you'll only get
> an audit record for mount(2) if the mount command succeeds or if it
> fails for a reason that the mount command itself isn't checking for.
>
> -- ljk
>>
>> Cheers,
>> peter
>>
>>> Betty
>>>
>>> ---------- Forwarded message ----------
>>> From: Betty Man <man bty gmail com>
>>> Date: Fri, Jul 6, 2012 at 10:53 PM
>>> Subject: capture mount event in /var/log/audit/audit.log
>>> To: linux-audit redhat com
>>>
>>>
>>> Hi Everyone,
>>>
>>>  in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5
>>>
>>> Have the following in the /etc/audit/audit.rules
>>> ## non-privilege users using mount command.
>>>  -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>>
>>> from a general user account
>>>
>>> $ mount /dev/hdc /dev/cdrom
>>> mount: only root can do that
>>>
>>> but /var/log/audit/audit.log   does not capture this event
>>>
>>> Any input is much appreciated!
>>>
>>> Thanks in advance
>>>
>>> Betty
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit redhat com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]