watch question
Linda Knippers
linda.knippers at hp.com
Mon Aug 8 14:04:21 UTC 2005
I'm running the capp rules on my ia64 box with the .84 kernel and the
1.0.1 tools and I'm seeing audit records for things that I don't think I
should be seeing them for.
With a watch rule like this:
-w /etc/group -p wa -k CFG_group
with the associated syscall rules in the capp rules file, should
I only be getting records when someone writes or appends to the
group file? That's what I think the -p options mean but I'm
getting audit records anytime someone does anything to the group
file, including just access()ing it. The same is true for other
watched files.
With a little test program that does a read access check on
any file, I always get a set of audit records like this when I do
it on a watched file.
type=SYSCALL msg=audit(1123283719.207:502): arch=c0000032 syscall=1049
success=yes exit=0 a0=60000fffffffb935 a1=4 a2=60000fffffffb935 a3=4
items=1 pid=4230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="t_path" exe="/home/ljk/t_path"
type=FS_INODE msg=audit(1123283719.207:502): inode=559722 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123283719.207:502): cwd="/home/ljk"
type=PATH msg=audit(1123283719.207:502): name="/etc/group" flags=401
inode=559722 dev=08:13 mode=0100644 ouid=0 ogid=0 rdev=00:00
Should that be happening?
My little test program and output of an auditctl -v are attached.
-- ljk
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: auditlist.txt
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050808/6690aa15/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: t_path.c
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050808/6690aa15/attachment.c>
More information about the Linux-audit
mailing list