audit.19 kernel
Loulwa F Salem
loulwa at us.ibm.com
Fri Apr 8 15:03:18 UTC 2005
linux-audit-bounces at redhat.com wrote on 04/06/2005 10:41:06 AM:
> I'm uploading the audit.19 kernel. It has Tim's latest patch and my
> patch to log signals sent to the audit dæmon.
>
> --
> dwmw2
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
I am seeing an inconsistent behavior when testing the watches with this
kernel. Is anybody else encountering something similar?
Below you will find the manual steps I am performing, and they only
generate two records (for the first touch, and the remove).
I also tried to set permissions to "reaw" to ensure I get all records, but
that didn't help either.
[root at checkered objident]# uname -a
Linux checkered.ltc.austin.ibm.com 2.6.9-5.0.3.EL.audit.19 #1 Wed Apr 6
09:10:02 EDT 2005 i686 i686 i386 GNU/Linux
[root at checkered objident]# rpm -qa | grep audit
audit-libs-0.6.10-1
audit-0.6.10-1
kernel-2.6.9-5.0.3.EL.audit.19
audit-libs-devel-0.6.10-1
[root at checkered lib]# auditctl -w /tmp/test_file -k file-key
No rules
[root at checkered lib]# touch /tmp/test_file
[root at checkered lib]# cat /tmp/test_file
[root at checkered lib]# cp /tmp/test_file /tmp/something
[root at checkered lib]# touch /tmp/test_file
[root at checkered lib]# cp /tmp/something /tmp/test_file
cp: overwrite `/tmp/test_file'? y
[root at checkered lib]# rm /tmp/test_file
rm: remove regular empty file `/tmp/test_file'? y
type=KERNEL msg=audit(1112950099.362:0): audit_enabled=1 old=1 by auid
4294967295
type=KERNEL msg=audit(1112950147.072:4062817): item=0
name="/tmp/test_file" inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0
rdev=00:00
type=KERNEL msg=audit(1112950147.072:4062817): auxitem=1 name="test_file"
filterkey=file-key perm=0 perm_mask=2 inode=2224460 inode_uid=0
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1112950147.072:4062817): syscall=5 arch=40000003
success=yes exit=3 a0=bff7cbb2 a1=8941 a2=1b6 a3=8941 items=1 pid=4538
loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1112950218.048:4070039): item=0
name="/tmp/test_file" inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0
rdev=00:00
type=KERNEL msg=audit(1112950218.048:4070039): auxitem=1 name="test_file"
filterkey=file-key perm=0 perm_mask=2 inode=2224460 inode_uid=0
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1112950218.048:4070039): syscall=10 arch=40000003
success=yes exit=0 a0=bffa1bb8 a1=0 a2=80505e4 a3=bffa1bb8 items=1
pid=4543 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="rm" exe=/bin/rm
- Loulwa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050408/acccbfe9/attachment.htm>
More information about the Linux-audit
mailing list