From: Linda Knippers <linda.knippers@hp.com>
To: Peter Moody <pmoody@google.com>
Cc: linux-audit@redhat.com
Subject: Re: How to capture mount event in /var/log/audit/audit.log
Date: Mon, 09 Jul 2012 17:35:37 -0400 [thread overview]
Message-ID: <4FFB4EA9.6050603@hp.com> (raw)
In-Reply-To: <CALnj_=6jSnLV-Wu7rA3+HuqtqgzHz15gtLXXgg3T6kubSDZ5sg@mail.gmail.com>
Peter Moody wrote:
> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty@gmail.com> wrote:
>> Hi Linda
>>
>> Thanks for the response,
>>>> $ mount /dev/hdc /dev/cdrom
>>>> mount: only root can do that
>> $ strace mount
>> shows a few lines plus the following:
>> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>> (Permission denied)
>>
>> Then the root window that has tail -f /var/log/audit/audit.log
>> does capture unsuccessful mount with exit=-13
>>
>> I need /var/log/audit/audit.log to be able to capture the mount event
>> automatically without strace intervention.
>
> On my system, I see no difference WRT audit.log between 'mount' &
> 'strace mount'; neither ends up calling the mount system call so
> neither generates an audit log.
Same for me.
Betty, what does your audit record look like?
As it stands today with syscall auditing, I suspect you'll only get
an audit record for mount(2) if the mount command succeeds or if it
fails for a reason that the mount command itself isn't checking for.
-- ljk
>
> Cheers,
> peter
>
>> Betty
>>
>> ---------- Forwarded message ----------
>> From: Betty Man <man.bty@gmail.com>
>> Date: Fri, Jul 6, 2012 at 10:53 PM
>> Subject: capture mount event in /var/log/audit/audit.log
>> To: linux-audit@redhat.com
>>
>>
>> Hi Everyone,
>>
>> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
>>
>> Have the following in the /etc/audit/audit.rules
>> ## non-privilege users using mount command.
>> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>
>> from a general user account
>>
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
>>
>> but /var/log/audit/audit.log does not capture this event
>>
>> Any input is much appreciated!
>>
>> Thanks in advance
>>
>> Betty
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
next prev parent reply other threads:[~2012-07-09 21:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-09 21:21 How to capture mount event in /var/log/audit/audit.log Betty Man
2012-07-09 21:30 ` Peter Moody
2012-07-09 21:35 ` Linda Knippers [this message]
2012-07-09 21:57 ` Giang Nguyen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FFB4EA9.6050603@hp.com \
--to=linda.knippers@hp.com \
--cc=linux-audit@redhat.com \
--cc=pmoody@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.