From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Fwd: linux auditd: Not getting log for chmod syscall Date: Tue, 24 Jan 2012 11:03:11 -0500 Message-ID: <201201241103.12164.sgrubb@redhat.com> References: <4F1ECDD2.5040907@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-233-111.phx2.redhat.com [10.3.233.111]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q0OG3GZA019745 for ; Tue, 24 Jan 2012 11:03:16 -0500 In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote: > > Last time it was working for chmod but this time when i am > > trying to get log for open system call, i have made similar > > changes in rules but did not get any log can you suggest > > something. details are given below: The rules below only record events where access is denied based on permission problems. > > *rules*: > > > > -a always,exit -F arch=b32 -S creat -S open -S openat -S > > truncate -F exit=-EACCES -F auid!=4294967295 -k access > > -a always,exit -F arch=b32 -S creat -S open -S openat -S > > truncate -F exit=-EPERM -F auid!=4294967295 -k access > > -a always,exit -F arch=b64 -S creat -S open -S openat -S > > truncate -F exit=-EACCES -F auid!=4294967295 -k access > > -a always,exit -F arch=b64 -S creat -S open -S openat -S > > truncate -F exit=-EPERM -F auid!=4294967295 -k access > > > > *strace output*: file have been attached named as "output for > > open sytem call.txt" > > > > > > strace -o /root/open_output open w > > /root/test01 I don't see any strace. However, if open is succeeding, the above rules would not catch it. Or if its failing for any reason except a permission problem such as ENOEXIST the rules will not catch it. -Steve