From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: auditctl question
Date: Thu, 3 Aug 2006 10:18:14 -0500
Message-ID: <20060803151814.GC5964@w-m-p.com>
References: <20060731171437.GA447@clif.cflynt.com>
	<20060731200523.GA1183@clif.cflynt.com>
	<200607311713.57472.sgrubb@redhat.com>
	<1154551742.6710.65.camel@willipl1-ld1.jhuapl.edu>
	<20060803002207.GB5964@w-m-p.com>
	<17B584B5C0638745ADF6002331331FDFA7D6F0@aplesliberty.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k73FIaVI023794
	for <linux-audit@redhat.com>; Thu, 3 Aug 2006 11:18:36 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k73FIX0l032052
	for <linux-audit@redhat.com>; Thu, 3 Aug 2006 11:18:34 -0400
Content-Disposition: inline
In-Reply-To: <17B584B5C0638745ADF6002331331FDFA7D6F0@aplesliberty.dom1.jhuapl.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Williams, P. Lane" <Lane.Williams@jhuapl.edu>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thu, Aug 03, 2006 at 09:00:25AM -0400, Williams, P. Lane wrote:
> I get ....
> 
> ----
> type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users comm=more exe=/bin/more
> ----

This is from "ausearch -i"? The raw audit log shouldn't have the
"(Permission denied)" part in it, but apart from that it seems that the
kernel is auditing things correctly and this is unrelated to the bug I
had referred to.

> so I only get permission denied entries.  Auditctl allows me to create the rule, and it list the rule.  But nothing is logged, when I know it should be.
> 
> I am running the 2.6.16.21 kernel (SUSE Enterprise Desktop 10) on AMD64 dual core machines.

This kernel has a snapshot of the audit code that was in development at
the time. Can you please try with a newer upstream kernel and/or bug SUSE
to incorporate the current audit fixes in an update?

-Klaus