Not trapping 'symlink' system call

Not trapping 'symlink' system call

[Eric Howard]

I have been tasked to generate test cases to validate the proper execution of particular syscall audit flags.  In most cases I have succeeded in triggering audit log entries.  However, I have been unable to trigger audit entries for the 'symlink call'  My test cases are generated by a shell script that execute commands to trigger the relevant calls.  In my test case I created a hard-link and a soft-link using /bin/ln.  Running strace indicated that the syscall was definitely made but  'ausearch -sc symlink' shows nothing.  I am using audit-1.0.15-3.EL4.  Any insight into this problem would be appreciated.

Sincerely,

Eric Howard





--------------------------------------
Protect yourself from spam, 
use http://sneakemail.com

Re: Not trapping 'symlink' system call

[Steve Grubb]

On Wednesday 06 June 2007 14:40, Eric Howard wrote:
> I have been tasked to generate test cases to validate the proper execution
> of particular syscall audit flags.

I think HP open sourced a test suite that tests the audit system:
http://sourceforge.net/projects/audit-test

> In most cases I have succeeded in triggering audit log entries.  However, I
> have been unable to trigger audit entries for the 'symlink call'  My test
> cases are generated by a shell script that execute commands to trigger the
> relevant calls.  In my test case I created a hard-link and a soft-link
> using /bin/ln.  Running strace indicated that the syscall was definitely
> made but  'ausearch -sc symlink' shows nothing.  I am using
> audit-1.0.15-3.EL4.  Any insight into this problem would be appreciated.

Looking at the syscalls, it should trigger on something like:

auditctl -a always,exit -S symlink

Or were you testing it another way?

-Steve

Not trapping 'symlink' system call

[Eric Howard]

Ah, I see my mistake.  I was using 'possible' instead of 'always'.  Thanks for your help!

-- Eric --

Steve Grubb sgrubb-at-redhat.com |redhat-audit-mailing-list| wrote:
> On Wednesday 06 June 2007 14:40, Eric Howard wrote:
>> I have been tasked to generate test cases to validate the proper execution
>> of particular syscall audit flags.
> 
> I think HP open sourced a test suite that tests the audit system:
> http://sourceforge.net/projects/audit-test
> 
>> In most cases I have succeeded in triggering audit log entries.  However, I
>> have been unable to trigger audit entries for the 'symlink call'  My test
>> cases are generated by a shell script that execute commands to trigger the
>> relevant calls.  In my test case I created a hard-link and a soft-link
>> using /bin/ln.  Running strace indicated that the syscall was definitely
>> made but  'ausearch -sc symlink' shows nothing.  I am using
>> audit-1.0.15-3.EL4.  Any insight into this problem would be appreciated.
> 
> Looking at the syscalls, it should trigger on something like:
> 
> auditctl -a always,exit -S symlink
> 
> Or were you testing it another way?
> 
> -Steve
> 




--------------------------------------
Protect yourself from spam, 
use http://sneakemail.com