From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Fwd: linux auditd: Not getting log for chmod syscall
Date: Tue, 24 Jan 2012 11:03:11 -0500 [thread overview]
Message-ID: <201201241103.12164.sgrubb@redhat.com> (raw)
In-Reply-To: <CAKYigEAEtqHM1Q+jHrEfE10VYWG7Kx0=CpSSLDNEmY4K7-4adg@mail.gmail.com>
On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote:
> > Last time it was working for chmod but this time when i am
> > trying to get log for open system call, i have made similar
> > changes in rules but did not get any log can you suggest
> > something. details are given below:
The rules below only record events where access is denied based on permission
problems.
> > *rules*:
> >
> > -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > truncate -F exit=-EACCES -F auid!=4294967295 -k access
> > -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > truncate -F exit=-EPERM -F auid!=4294967295 -k access
> > -a always,exit -F arch=b64 -S creat -S open -S openat -S
> > truncate -F exit=-EACCES -F auid!=4294967295 -k access
> > -a always,exit -F arch=b64 -S creat -S open -S openat -S
> > truncate -F exit=-EPERM -F auid!=4294967295 -k access
> >
> > *strace output*: file have been attached named as "output for
> > open sytem call.txt"
> >
> >
> > strace -o /root/open_output open w
> > /root/test01
I don't see any strace. However, if open is succeeding, the above rules would
not catch it. Or if its failing for any reason except a permission problem such
as ENOEXIST the rules will not catch it.
-Steve
prev parent reply other threads:[~2012-01-24 16:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-13 4:52 linux auditd: Not getting log for chmod syscall bharat gupta
2012-01-13 20:04 ` Steve Grubb
2012-01-18 11:10 ` bharat gupta
2012-01-18 12:10 ` Marcelo Cerri
[not found] ` <CAKYigEAYpkm99o1XbhEAz0CrsMFSLBQdp8cY0TCAZxpVzZ1DMw@mail.gmail.com>
[not found] ` <4F17FB57.9010804@linux.vnet.ibm.com>
[not found] ` <CAKYigEDBechU7a=fdf0_aPuK01k2yESx5J7SWcAt2X6qn2pzvA@mail.gmail.com>
[not found] ` <4F180497.2080900@linux.vnet.ibm.com>
[not found] ` <CAKYigEDrCdWVhT7wX4260xe2sUtkm0dd0DuhPfuhHvq98on41Q@mail.gmail.com>
[not found] ` <4F1808F7.1010709@linux.vnet.ibm.com>
[not found] ` <CAKYigEA1eti=0xsgKiyzOavHg6DnjF4pVLGbCj4HvQZ4ViieOw@mail.gmail.com>
[not found] ` <CAKYigEC8zaqkOAOZK6YNzdLqK+9fXbFrVS_0jA=CVsdM9qyMmg@mail.gmail.com>
[not found] ` <4F1EA802.1090003@linux.vnet.ibm.com>
[not found] ` <CAKYigEC-Av7f+0n2zTADiEdNdWzt3QcOC13SnsUn2QodUytWng@mail.gmail.com>
[not found] ` <4F1ECDD2.5040907@linux.vnet.ibm.com>
2012-01-24 15:30 ` Fwd: " bharat gupta
2012-01-24 16:03 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201201241103.12164.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.