[redhat-lspp] Watch question
Loulwa Salem
loulwas at us.ibm.com
Thu Apr 27 22:44:54 UTC 2006
Before when a watch was added on a file path, every action affecting the file
was audited. However here is what I am seeing now ...
- add a watch on the file (executable in this case .. like /sbin/auditd)
- attempt to execute the file as a specific user
- we expect an audit record for execve syscall.
However, i don't get a record for execve.
And from some analysis, when I do a listing of rules and watches .. it looks
like the following syscalls are audited when a watch is added:
open, truncate, rename, mkdir, rmdir, creat, link, unlink, symlink, chmod,
fchmod, chown, fchown, lchown.
Is that what we intended? should execve be also included?
Do we need to specifically add a syscall rule for execve now to capture the
audit record associated with it?
Thanks,
- Loulwa
More information about the redhat-lspp
mailing list