Oops while checking file system auditing
Rob Myers
rob.myers at gtri.gatech.edu
Tue May 24 19:56:06 UTC 2005
On Tue, 2005-05-24 at 15:19 -0400, Steve Grubb wrote:
> On Tuesday 24 May 2005 14:06, Timothy R. Chavez wrote:
> > Can you also provide architecture, UP/SMP, etc
>
> I just upgraded to the .48 kernel and did this:
>
> -a entry,always -S mkdir
> -a entry,always -S kill
> -w /etc/passwd -k fk_passwd -p rwea
> -w /var/run/dbus/system_bus_socket -k dbus-test -p rwea
>
> This kills the machine dead...well except for the blinking numlock & caps lock
> lights.
so far, i am unable to reproduce on audit.48 up or smp.
[root at localhost ~]# auditctl -l
AUDIT_LIST: entry always syscall=mkdir
AUDIT_LIST: entry always syscall=kill
AUDIT_WATCH_LIST: dev=8:2, path=/etc/passwd, filterkey=fk_passwd,
perms=15, valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/var/run/dbus/system_bus_socket,
filterkey=, perms=15, valid=0
u[root at localhost ~]# uname -a
Linux localhost.localdomain 2.6.9-5.0.3.EL.audit.48smp #1 SMP Mon May 23
16:33:18 EDT 2005 i686 i686 i386 GNU/Linux
[root at localhost ~]# auditctl -l
AUDIT_LIST: entry always syscall=mkdir
AUDIT_LIST: entry always syscall=kill
AUDIT_WATCH_LIST: dev=8:2, path=/etc/passwd, filterkey=, perms=15,
valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/var/run/dbus/system_bus_socket,
filterkey=dbus-test, perms=15, valid=0
[root at localhost ~]# uname -a
Linux localhost.localdomain 2.6.9-5.0.3.EL.audit.48 #1 Mon May 23
16:24:01 EDT 2005 i686 i686 i386 GNU/Linux
steve, can you reproduce it reliably?
rob.
More information about the Linux-audit
mailing list