auditctl question

Williams, P. Lane Lane.Williams at jhuapl.edu
Thu Aug 3 13:00:25 UTC 2006 

The records that I care about are the permission denied records.
If I do...

auditctl -a exit,always -S all -F success=0

I get ....

----
type=PATH msg=audit(08/03/06 08:49:37.229:78293) : item=0 name=/var/log/messages flags=follow,open inode=53150921 dev=08:03 mode=file,640 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(08/03/06 08:49:37.229:78293) :  cwd=/home/someuser
type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users comm=more exe=/bin/more
----

but, I also get a lot of other garbage that I do not want.....such as all of the "exit=-2(No such file or directory)".

I would like to....

auditctl -a exit,always -S all -F exit=-13

so I only get permission denied entries.  Auditctl allows me to create the rule, and it list the rule.  But nothing is logged, when I know it should be.

I am running the 2.6.16.21 kernel (SUSE Enterprise Desktop 10) on AMD64 dual core machines.

Lane


-----Original Message-----
From: Klaus Weidner [mailto:klaus at atsec.com]
Sent: Wed 8/2/2006 8:22 PM
To: Williams, P. Lane
Cc: linux-audit at redhat.com
Subject: Re: auditctl question
 
On Wed, Aug 02, 2006 at 04:49:02PM -0400, Lane Williams wrote:
> Should the following work???
> 
> auditctl -a exit,always -S all -F exit=-13
> 
> When I use a negative value for exit, I get no output into the logs when
> I should.
> I am using audit-1.2.3 on SuSE Enterprise 10 with the 2.6.16.21 kernel.

What do the audit records look like that you expect to be matching, and
what architecture are you running on? I recall a bug on ia64 where failed
system calls were being audited with "success=yes" and the positive errno,
and a patch to change that to negative errno to be consistent with other
architectures.

Cf.:

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173500

which claims to be fixed by:

	http://rhn.redhat.com/errata/RHSA-2006-0132.html

-Klaus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060803/01dbae71/attachment.htm>

More information about the Linux-audit mailing list