two sets of fs_watch/fs_inode messages?
Linda Knippers
linda.knippers at hp.com
Wed Aug 10 19:21:59 UTC 2005
I'm running the sample CAPP rules with the .87 kernel and 1.0.1
audit tools. I'm seeing duplicate watch/inode messages sometimes.
The sample CAPP rules set a watch on all access to /etc/sysconfig
(-w /etc/sysconfig/). I created a file (ljk) in /etc/sysconfig and
when I update it (echo "1" > /etc/sysconfig/ljk) I get audit
records like below. Notice that the FS_WATCH and FS_INODE
lines show up twice. That doesn't seem right. Any ideas?
-- ljk
type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028
success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1
pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882
watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882
watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552): cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk"
flags=310 inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00
More information about the Linux-audit
mailing list