From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Not trapping 'symlink' system call
Date: Wed, 6 Jun 2007 15:25:52 -0400
Message-ID: <200706061525.52238.sgrubb@redhat.com>
References: <4968-50499@sneakemail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4968-50499@sneakemail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Eric Howard <pt3vjld02@sneakemail.com>
List-Id: linux-audit@redhat.com

On Wednesday 06 June 2007 14:40, Eric Howard wrote:
> I have been tasked to generate test cases to validate the proper execution
> of particular syscall audit flags.

I think HP open sourced a test suite that tests the audit system:
http://sourceforge.net/projects/audit-test

> In most cases I have succeeded in triggering audit log entries.  However, I
> have been unable to trigger audit entries for the 'symlink call'  My test
> cases are generated by a shell script that execute commands to trigger the
> relevant calls.  In my test case I created a hard-link and a soft-link
> using /bin/ln.  Running strace indicated that the syscall was definitely
> made but  'ausearch -sc symlink' shows nothing.  I am using
> audit-1.0.15-3.EL4.  Any insight into this problem would be appreciated.

Looking at the syscalls, it should trigger on something like:

auditctl -a always,exit -S symlink

Or were you testing it another way?

-Steve