From: Linda Knippers <linda.knippers@hp.com>
To: Peter Moody <pmoody@google.com>
Cc: linux-audit@redhat.com
Subject: Re: How to capture mount event in /var/log/audit/audit.log
Date: Mon, 09 Jul 2012 17:35:37 -0400 [thread overview]
Message-ID: <4FFB4EA9.6050603@hp.com> (raw)
In-Reply-To: <CALnj_=6jSnLV-Wu7rA3+HuqtqgzHz15gtLXXgg3T6kubSDZ5sg@mail.gmail.com>
Peter Moody wrote:
> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty@gmail.com> wrote:
>> Hi Linda
>>
>> Thanks for the response,
>>>> $ mount /dev/hdc /dev/cdrom
>>>> mount: only root can do that
>> $ strace mount
>> shows a few lines plus the following:
>> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>> (Permission denied)
>>
>> Then the root window that has tail -f /var/log/audit/audit.log
>> does capture unsuccessful mount with exit=-13
>>
>> I need /var/log/audit/audit.log to be able to capture the mount event
>> automatically without strace intervention.
>
> On my system, I see no difference WRT audit.log between 'mount' &
> 'strace mount'; neither ends up calling the mount system call so
> neither generates an audit log.
Same for me.
Betty, what does your audit record look like?
As it stands today with syscall auditing, I suspect you'll only get
an audit record for mount(2) if the mount command succeeds or if it
fails for a reason that the mount command itself isn't checking for.
-- ljk
>
> Cheers,
> peter
>
>> Betty
>>
>> ---------- Forwarded message ----------
>> From: Betty Man <man.bty@gmail.com>
>> Date: Fri, Jul 6, 2012 at 10:53 PM
>> Subject: capture mount event in /var/log/audit/audit.log
>> To: linux-audit@redhat.com
>>
>>
>> Hi Everyone,
>>
>> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
>>
>> Have the following in the /etc/audit/audit.rules
>> ## non-privilege users using mount command.
>> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>
>> from a general user account
>>
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
>>
>> but /var/log/audit/audit.log does not capture this event
>>
>> Any input is much appreciated!
>>
>> Thanks in advance
>>
>> Betty
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
next prev parent reply other threads:[~2012-07-09 21:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-09 21:21 How to capture mount event in /var/log/audit/audit.log Betty Man
2012-07-09 21:30 ` Peter Moody
2012-07-09 21:35 ` Linda Knippers [this message]
2012-07-09 21:57 ` Giang Nguyen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FFB4EA9.6050603@hp.com \
--to=linda.knippers@hp.com \
--cc=linux-audit@redhat.com \
--cc=pmoody@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox