Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* How to capture mount event in /var/log/audit/audit.log
@ 2012-07-09 21:21 Betty Man
  2012-07-09 21:30 ` Peter Moody
  0 siblings, 1 reply; 4+ messages in thread
From: Betty Man @ 2012-07-09 21:21 UTC (permalink / raw)
  To: linda.knippers; +Cc: linux-audit

Hi Linda

Thanks for the response,
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that

$ strace mount
shows a few lines plus the following:
 open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
(Permission denied)

Then the root window  that has tail -f /var/log/audit/audit.log
does capture unsuccessful mount with exit=-13

I need /var/log/audit/audit.log to be able to capture the mount event
automatically  without strace intervention.

Betty

---------- Forwarded message ----------
From: Betty Man <man.bty@gmail.com>
Date: Fri, Jul 6, 2012 at 10:53 PM
Subject: capture mount event in /var/log/audit/audit.log
To: linux-audit@redhat.com


Hi Everyone,

 in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5

Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
 -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export

from a general user account

$ mount /dev/hdc /dev/cdrom
mount: only root can do that

but /var/log/audit/audit.log   does not capture this event

Any input is much appreciated!

Thanks in advance

Betty

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: How to capture mount event in /var/log/audit/audit.log
  2012-07-09 21:21 How to capture mount event in /var/log/audit/audit.log Betty Man
@ 2012-07-09 21:30 ` Peter Moody
  2012-07-09 21:35   ` Linda Knippers
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Moody @ 2012-07-09 21:30 UTC (permalink / raw)
  To: Betty Man; +Cc: linux-audit

On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty@gmail.com> wrote:
> Hi Linda
>
> Thanks for the response,
>>> $ mount /dev/hdc /dev/cdrom
>>> mount: only root can do that
>
> $ strace mount
> shows a few lines plus the following:
>  open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
> (Permission denied)
>
> Then the root window  that has tail -f /var/log/audit/audit.log
> does capture unsuccessful mount with exit=-13
>
> I need /var/log/audit/audit.log to be able to capture the mount event
> automatically  without strace intervention.

On my system, I see no difference WRT audit.log between 'mount' &
'strace mount'; neither ends up calling the mount system call so
neither generates an audit log.

Cheers,
peter

> Betty
>
> ---------- Forwarded message ----------
> From: Betty Man <man.bty@gmail.com>
> Date: Fri, Jul 6, 2012 at 10:53 PM
> Subject: capture mount event in /var/log/audit/audit.log
> To: linux-audit@redhat.com
>
>
> Hi Everyone,
>
>  in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5
>
> Have the following in the /etc/audit/audit.rules
> ## non-privilege users using mount command.
>  -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>
> from a general user account
>
> $ mount /dev/hdc /dev/cdrom
> mount: only root can do that
>
> but /var/log/audit/audit.log   does not capture this event
>
> Any input is much appreciated!
>
> Thanks in advance
>
> Betty
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: How to capture mount event in /var/log/audit/audit.log
  2012-07-09 21:30 ` Peter Moody
@ 2012-07-09 21:35   ` Linda Knippers
  2012-07-09 21:57     ` Giang Nguyen
  0 siblings, 1 reply; 4+ messages in thread
From: Linda Knippers @ 2012-07-09 21:35 UTC (permalink / raw)
  To: Peter Moody; +Cc: linux-audit

Peter Moody wrote:
> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty@gmail.com> wrote:
>> Hi Linda
>>
>> Thanks for the response,
>>>> $ mount /dev/hdc /dev/cdrom
>>>> mount: only root can do that
>> $ strace mount
>> shows a few lines plus the following:
>>  open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>> (Permission denied)
>>
>> Then the root window  that has tail -f /var/log/audit/audit.log
>> does capture unsuccessful mount with exit=-13
>>
>> I need /var/log/audit/audit.log to be able to capture the mount event
>> automatically  without strace intervention.
> 
> On my system, I see no difference WRT audit.log between 'mount' &
> 'strace mount'; neither ends up calling the mount system call so
> neither generates an audit log.

Same for me.

Betty, what does your audit record look like?

As it stands today with syscall auditing, I suspect you'll only get
an audit record for mount(2) if the mount command succeeds or if it
fails for a reason that the mount command itself isn't checking for.

-- ljk
> 
> Cheers,
> peter
> 
>> Betty
>>
>> ---------- Forwarded message ----------
>> From: Betty Man <man.bty@gmail.com>
>> Date: Fri, Jul 6, 2012 at 10:53 PM
>> Subject: capture mount event in /var/log/audit/audit.log
>> To: linux-audit@redhat.com
>>
>>
>> Hi Everyone,
>>
>>  in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5
>>
>> Have the following in the /etc/audit/audit.rules
>> ## non-privilege users using mount command.
>>  -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>
>> from a general user account
>>
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
>>
>> but /var/log/audit/audit.log   does not capture this event
>>
>> Any input is much appreciated!
>>
>> Thanks in advance
>>
>> Betty
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: How to capture mount event in /var/log/audit/audit.log
  2012-07-09 21:35   ` Linda Knippers
@ 2012-07-09 21:57     ` Giang Nguyen
  0 siblings, 0 replies; 4+ messages in thread
From: Giang Nguyen @ 2012-07-09 21:57 UTC (permalink / raw)
  To: linda.knippers; +Cc: linux-audit

It's probably because the mount(8) program fails -- apparently because
you are not root -- before it gets to call the mount(2) syscall. That
is why you don't see the mount syscall in either strace output or
audit log. Try running your mount command as root.

On Mon, Jul 9, 2012 at 5:35 PM, Linda Knippers <linda.knippers@hp.com> wrote:
> Peter Moody wrote:
>> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty@gmail.com> wrote:
>>> Hi Linda
>>>
>>> Thanks for the response,
>>>>> $ mount /dev/hdc /dev/cdrom
>>>>> mount: only root can do that
>>> $ strace mount
>>> shows a few lines plus the following:
>>>  open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>>> (Permission denied)
>>>
>>> Then the root window  that has tail -f /var/log/audit/audit.log
>>> does capture unsuccessful mount with exit=-13
>>>
>>> I need /var/log/audit/audit.log to be able to capture the mount event
>>> automatically  without strace intervention.
>>
>> On my system, I see no difference WRT audit.log between 'mount' &
>> 'strace mount'; neither ends up calling the mount system call so
>> neither generates an audit log.
>
> Same for me.
>
> Betty, what does your audit record look like?
>
> As it stands today with syscall auditing, I suspect you'll only get
> an audit record for mount(2) if the mount command succeeds or if it
> fails for a reason that the mount command itself isn't checking for.
>
> -- ljk
>>
>> Cheers,
>> peter
>>
>>> Betty
>>>
>>> ---------- Forwarded message ----------
>>> From: Betty Man <man.bty@gmail.com>
>>> Date: Fri, Jul 6, 2012 at 10:53 PM
>>> Subject: capture mount event in /var/log/audit/audit.log
>>> To: linux-audit@redhat.com
>>>
>>>
>>> Hi Everyone,
>>>
>>>  in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5
>>>
>>> Have the following in the /etc/audit/audit.rules
>>> ## non-privilege users using mount command.
>>>  -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>>
>>> from a general user account
>>>
>>> $ mount /dev/hdc /dev/cdrom
>>> mount: only root can do that
>>>
>>> but /var/log/audit/audit.log   does not capture this event
>>>
>>> Any input is much appreciated!
>>>
>>> Thanks in advance
>>>
>>> Betty
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-07-09 21:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-09 21:21 How to capture mount event in /var/log/audit/audit.log Betty Man
2012-07-09 21:30 ` Peter Moody
2012-07-09 21:35   ` Linda Knippers
2012-07-09 21:57     ` Giang Nguyen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox