From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: linux auditd: Not getting log for chmod syscall Date: Fri, 13 Jan 2012 15:04:37 -0500 Message-ID: <201201131504.38174.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, January 12, 2012 11:52:29 PM bharat gupta wrote: > I am using redhat 6, and trying to create logs for some system call using > the rule given below: > > *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 > -F auid!=4294967295 -k perm_mod* The rule works for me. # auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F 'auid>=500' -F auid!=4294967295 -k perm_mod I don't have any asterisk and I have single quote marks since bash will interpret the > as a redirection. But then doing a chmod command, it does pick up the fchmodat() syscall. > After running command chmod i was not able to get any log, but when i used > strace command i have seen that syscall have been called. > I also checked that auditd service is running properly. When you use auditctl -l, is the rule just like you expected? LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat It should just work unless you are on a distribution that does not really support auditing. -Steve