[redhat-lspp] Watch question

Loulwa Salem loulwas at us.ibm.com
Thu Apr 27 22:44:54 UTC 2006


Before when a watch was added on a file path, every action affecting the file 
was audited. However here is what I am seeing now ...

- add a watch on the file (executable in this case .. like /sbin/auditd)
- attempt to execute the file as a specific user
- we expect an audit record for execve syscall.
However, i don't get a record for execve.

And from some analysis, when I do a listing of rules and watches .. it looks 
like the following syscalls are audited when a watch is added:
	open, truncate, rename, mkdir, rmdir, creat, link, unlink, symlink, chmod, 
fchmod, chown, fchown, lchown.

Is that what we intended? should execve be also included?

Do we need to specifically add a syscall rule for execve now to capture the 
audit record associated with it?

Thanks,
- Loulwa




More information about the redhat-lspp mailing list