From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Eric Howard" Subject: Not trapping 'symlink' system call Date: 6 Jun 2007 19:56:49 -0000 Message-ID: <13697-64304@sneakemail.com> Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l56Juvx3015538 for ; Wed, 6 Jun 2007 15:56:57 -0400 Received: from monkey.sneakemail.com (sneakemail.com [38.113.6.61]) by mx1.redhat.com (8.13.1/8.13.1) with SMTP id l56JuuQJ001884 for ; Wed, 6 Jun 2007 15:56:56 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Ah, I see my mistake. I was using 'possible' instead of 'always'. Thanks for your help! -- Eric -- Steve Grubb sgrubb-at-redhat.com |redhat-audit-mailing-list| wrote: > On Wednesday 06 June 2007 14:40, Eric Howard wrote: >> I have been tasked to generate test cases to validate the proper execution >> of particular syscall audit flags. > > I think HP open sourced a test suite that tests the audit system: > http://sourceforge.net/projects/audit-test > >> In most cases I have succeeded in triggering audit log entries. However, I >> have been unable to trigger audit entries for the 'symlink call' My test >> cases are generated by a shell script that execute commands to trigger the >> relevant calls. In my test case I created a hard-link and a soft-link >> using /bin/ln. Running strace indicated that the syscall was definitely >> made but 'ausearch -sc symlink' shows nothing. I am using >> audit-1.0.15-3.EL4. Any insight into this problem would be appreciated. > > Looking at the syscalls, it should trigger on something like: > > auditctl -a always,exit -S symlink > > Or were you testing it another way? > > -Steve > -------------------------------------- Protect yourself from spam, use http://sneakemail.com