[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 24 19:13:36 UTC 2005
On Thu, 2005-03-24 at 11:00 -0600, Timothy R. Chavez wrote:
> Hmmm... Here's what I get:
>
> ./auditctl -w /audit/foo -k fk_foo
> cat /audit/foo
>
> audit(1111683374.383:13808290): name="foo" filterkey=fk_foo perm=0 perm_mask=4
> inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
> audit(1111683374.383:13808290): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0
> a3=8000 items=1 pid=31676 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0
> audit(1111683374.383:13808290): item=0 name="/audit/foo" inode=962899
> dev=00:00
Ok, going back to what you are trying to achieve in terms of high level
goals (e.g. maintain auditing on /etc/shadow across re-creation for each
transaction), I did the following:
auditctl -w /etc/shadow -k SHADOW -p wa
i.e. show me all attempts to write or append to /etc/shadow.
Then I ran 'passwd' as a normal user and changed my own password, thus
re-creating /etc/shadow with my new password. No audit messages were
generated.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list