<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br></div><div><div class="h5">
<br>
Last time it was working for chmod but this time when i am<br>
trying to get log for open system call, i have made similar<br>
changes in rules but did not get any log can you suggest<br>
something. details are given below:<br>
<br>
*rules*:<br>
<br>
-a always,exit -F arch=b32 -S creat -S open -S openat -S<br>
truncate -F exit=-EACCES -F auid!=4294967295 -k access<br>
-a always,exit -F arch=b32 -S creat -S open -S openat -S<br>
truncate -F exit=-EPERM -F auid!=4294967295 -k access<br>
-a always,exit -F arch=b64 -S creat -S open -S openat -S<br>
truncate -F exit=-EACCES -F auid!=4294967295 -k access<br>
-a always,exit -F arch=b64 -S creat -S open -S openat -S<br>
truncate -F exit=-EPERM -F auid!=4294967295 -k access<br>
<br>
*strace output*: file have been attached named as "output for<br>
open sytem call.txt"<br>
<br>
<br>
strace -o /root/open_output open w<br>
/root/test01<br>
<br>
*<br>
*<br>
*auditctl -l output*: file have been attached named "auditctl<br>
-l output.txt"<br>
<br>
<br>
file have been attached<br>
<br>
<br>
On Fri, Jan 20, 2012 at 9:53 AM, bharat gupta<br>
<<a href="mailto:bharatguptagg@gmail.com" target="_blank">bharatguptagg@gmail.com</a> <mailto:<a href="mailto:bharatguptagg@gmail.com" target="_blank">bharatguptagg@gmail.<u></u>com</a>><br></div></div>
<mailto:<a href="mailto:bharatguptagg@gmail.com" target="_blank">bharatguptagg@gmail.<u></u>com</a><div class="im"><br>
<mailto:<a href="mailto:bharatguptagg@gmail.com" target="_blank">bharatguptagg@gmail.<u></u>com</a>>>> wrote:<br>
<br>
Hi,<br>
Finally we got the log by doing as you have told me to<br>
remove<br>
auid >=500. generated log is like :<br>
<br>
time->Fri Jan 20 05:19:45 2012<br>
type=PATH msg=audit(1327033185.331:<u></u>1561983): item=0 name=(null)<br>
inode=235577256 dev=00:06 mode=0140777 ouid=0 ogid=0 rdev=00:00<br>
type=SYSCALL msg=audit(1327033185.331:<u></u>1561983): arch=c000003e<br>
syscall=91 success =yes exit=0 a0=d a1=100 a2=0<br>
a3=7fffa34b3740 items=1<br>
ppid=83194 pid=1287823 auid =0 uid=0 gid=0 euid=0 suid=0<br>
fsuid=0 egid=0<br>
sgid=0 fsgid=0 tty=(none) ses=216 co mm="mmdsm"<br>
exe="/bin/ksh" key="perm_mod"<br>
<br>
Thanks for helping so much.<br>
<br>
On Thu, Jan 19, 2012 at 5:43 PM, Marcelo Cerri<br>
<<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br></div><div class="im">
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>><br>
<br>
wrote:<br>
<br>
So that's the problem :)<br>
<br>
root user id is 0 and your rule will only match user<br>
id's >=<br>
500 (which is usually used for regular users).<br>
<br>
The auid field is the original user id. So if you were<br>
logged<br>
in as a regular user and tried to run chmod using sudo then<br>
your rule would worked.<br>
<br>
Try to remove the -F auid>=500.<br>
<br>
Regards,<br>
Marcelo<br>
<br>
<br>
On 01/19/2012 09:57 AM, bharat gupta wrote:<br>
<br>
yes i have been login as root in base machine and then<br>
login to virtual cluster.<br>
<br>
On Thu, Jan 19, 2012 at 5:25 PM, Marcelo Cerri<br>
<<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.ibm.com</a> <mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br></div><div><div class="h5">
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>>> wrote:<br>
<br>
I noticed that you are changing permission on a<br>
file in<br>
/root dir.<br>
<br>
Are you running chmod as root? More precisily,<br>
are you<br>
logged in<br>
directly as root?<br>
<br>
<br>
<br>
On 01/19/2012 09:42 AM, bharat gupta wrote:<br>
<br>
Q1. Is this the only rule that you have? What is<br>
the output<br>
for "auditctl -l"?<br>
<br>
Ans. This is not the only rule i am running.<br>
output<br>
of auditcl<br>
-l is given in attached file named<br>
"auditctl-l_output.txt".<br>
<br>
Q2. What is the architecture that you are<br>
running on?<br>
Ans. architecture detail is gien in attached<br>
file named<br>
"architecture.txt".<br>
<br>
Q3. Which program are you using to changing<br>
the file<br>
permissions? Is it running as which user?<br>
Ans. strace -o /root/temp/output_chmod chmod 777<br>
/root/test02<br>
and its output is given in attached<br>
file named<br>
"output_chmod.txt".<br>
<br>
On Thu, Jan 19, 2012 at 4:45 PM, Marcelo Cerri<br>
<<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.ibm.com</a> <mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>><br></div></div><div><div class="h5">
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>>>> wrote:<br>
<br>
<br>
Some questions:<br>
<br>
1. Is this the only rule that you have?<br>
What is<br>
the output for<br>
"auditctl -l"?<br>
<br>
2. What is the architecture that you are<br>
running on?<br>
<br>
3. Which program are you using to<br>
changing the file<br>
permissions?<br>
Is it running as which user?<br>
<br>
Regards,<br>
Marcelo<br>
<br>
PS: I think that it's important to keep the<br>
discussion in the<br>
mailing list. Other people with the same<br>
issue<br>
can can<br>
access this<br>
thread later.<br>
<br>
<br>
<br>
On 01/19/2012 08:16 AM, bharat gupta wrote:<br>
<br>
If i will remove quotes then it will be<br>
simmilar to the<br>
previous rule which was not giving<br>
any log.<br>
what should i do to get logs.<br>
Thanks<br>
<br>
18, 2012 at 5:40 PM, Marcelo Cerri<br>
<<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.ibm.com</a> <mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>><br>
<br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a><br>
<mailto:<a href="mailto:mhcerri@linux.vnet.ibm.com" target="_blank">mhcerri@linux.vnet.<u></u>ibm.com</a>>>>>>> wrote:<br>
<br>
Just remove the quotes. It's only<br>
necessary when running<br>
auditctl<br>
directly from bash.<br>
<br>
Regards,<br>
Marcelo<br>
<br>
<br>
On 01/18/2012 09:10 AM, bharat<br>
gupta wrote:<br>
<br>
when i am using auid>=500 in quote<br>
like u have<br>
told -a<br>
always,exit -F arch=b64 -S<br>
chmod -S<br>
fchmod -S<br>
fchmodat -F<br>
'auid>=500' -F auid!=4294967295 -k<br>
perm_mod<br>
<br>
it is giving error :<br>
#service auditd restart<br>
Stopping auditd: [<br>
OK ]<br>
Starting auditd: [<br>
OK ]<br>
-F unknown field: "auid<br>
There was an error in line 102 of<br>
/etc/audit/audit.rules<br>
<br>
<br>
<br>
On Sat, Jan 14, 2012 at 1:34 AM,<br>
Steve Grubb<br>
<<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a> <mailto:<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>>>>>><u></u>>><br>
wrote:<br>
<br>
On Thursday, January 12, 2012<br>
11:52:29 PM bharat<br>
gupta wrote:<br>
> I am using redhat 6, and trying to create logs for some<br>
system<br>
call using<br>
> the rule given below:<br>
><br>
> *-a always,exit -F arch=b64 -S chmod -S fchmod -S<br>
fchmodat -F<br>
auid>=500<br>
> -F auid!=4294967295 -k perm_mod*<br>
<br>
The rule works for me.<br>
<br>
# auditctl -a always,exit -F<br>
arch=b64 -S<br>
chmod -S<br>
fchmod -S<br>
fchmodat -F<br>
'auid>=500' -F<br>
auid!=4294967295 -k<br>
perm_mod<br>
<br>
I don't have any asterisk and I<br>
have single<br>
quote marks<br>
since bash<br>
will<br>
interpret the > as a<br>
redirection.<br>
But then<br>
doing a chmod<br>
command,<br>
it does pick<br>
up the fchmodat() syscall.<br>
<br>
<br>
> After running command chmod i was not able to get any<br>
log, but<br>
when i used<br>
> strace command i have seen that syscall have been called.<br>
> I also checked that auditd service is running properly.<br>
<br>
When you use auditctl -l,<br>
is the<br>
rule just<br>
like you<br>
expected?<br>
<br>
LIST_RULES: exit,always<br>
arch=3221225534<br>
(0xc000003e)<br>
auid>=500<br>
(0x1f4) auid!=-1<br>
(0xffffffff) key=perm_mod<br>
syscall=chmod,fchmod,fchmodat<br>
<br>
It should just work unless<br>
you are<br>
on a<br>
distribution<br>
that<br>
does not<br>
really<br>
support auditing.<br>
<br>
-Steve<br>
<br>
<br>
<br>
<br>
-- Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
--<br>
Linux-audit mailing list<br>
<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br></div></div>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>>>><div class="im">
<br>
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/linux-audit</a><br>
<br>
<br>
--<br>
Linux-audit mailing list<br>
<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>><br>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>><br></div>
<mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a> <mailto:<a href="mailto:Linux-audit@redhat.com" target="_blank">Linux-audit@redhat.com</a><u></u>>>>>><div class="im">
<br>
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/linux-audit</a><br>
<br>
<br>
<br>
<br>
-- Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- Thanks,<br>
Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- Thanks,<br>
Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- Thanks,<br>
Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
<br>
<br>
-- Thanks,<br>
Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- <br>
Thanks,<br>
Bharat Gupta<br>
IIT -Roorkee<br>
<br>
<br>
</div></blockquote>
<br>
</div><br><br clear="all"><div><br></div>-- <br><div>Thanks,</div><div>Bharat Gupta </div><span style="color:rgb(0,0,0)">IIT -Roorkee</span><br style="color:rgb(0,0,0)"><br><br>