watch dir problem
Steve Grubb
sgrubb at redhat.com
Thu May 26 19:39:48 UTC 2005
Hello,
I got a capture of audit doing a log rotate using:
auditctl -w /var/log -k dir -p rwea
type=SYSCALL msg=audit(05/26/05 15:24:55.023:13588534) : arch=i386
syscall=rename success=yes exit=0 a0=94bc008 a1=94bc028 a2=8051254 a3=8054e00
items=2 pid=1716 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=auditd
exe=/sbin/auditd
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=0
name=/var/log/audit/audit.log inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=1
name=/var/log/audit/audit.log.1 inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
The thing I'm wondering about is the mode not matching the object in PATH. The
watch is on a dir, but the item listed is not a dir, its a file with access
perms of 0640.
-Steve
More information about the Linux-audit
mailing list