linux_4ever at yahoo.com
Thu Aug 3 17:50:49 UTC 2006
>> No one can turn off auditd unless they are root. Do you have
>> untrusted root users?
>We do not have untrusted root users, the problem is we are trying to
>audit ourselves and do it in a way that we could not easily
You will likely need to use the realtime interface and write a program that moves
the data to another machine. I will be writing one in a couple months, but in the
meantime everyone has to cobble together their own solution. Otherwise they can
just do auditctl -e 0 and you are done.
>If i wanted to excluded the following
>type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2
>success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561
>auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>tty=(none) comm="sshd" exe="/usr/sbin/sshd"
>-a exclude,always -F msgtype=SYSCALL
> -a exit.always -F uid=0
> -a entry,always -F uid=0
>Is this correct ?
These are 3 different rules that form an OR condition. What will happen is
SYSCALL records in the event will be thrown away, any syscall with uid 0 will be
recorded, and a redundant rule will try to do the same thing.
>or can i do something
>- -a exit,
> What are you really trying to record?
>Trying to record when people access particular files , which i have
>been looking at the auditctl -w but the examples do not work in the
You have to have the 2.6.18 kernel to get this to work. Otherwise you are limited
to using -F devmajor=xx -F devminor=yy
>such as (found in capp.rules)
> -w /var/log/audit/ -k LOG_audit
The above works for 2.6.18 kernel.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the fedora-selinux-list