auditctl question

Thu Aug 3 15:18:14 UTC 2006

On Thu, Aug 03, 2006 at 09:00:25AM -0400, Williams, P. Lane wrote:
> I get ....
> 
> ----
> type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users comm=more exe=/bin/more
> ----

This is from "ausearch -i"? The raw audit log shouldn't have the
"(Permission denied)" part in it, but apart from that it seems that the
kernel is auditing things correctly and this is unrelated to the bug I
had referred to.

> so I only get permission denied entries.  Auditctl allows me to create the rule, and it list the rule.  But nothing is logged, when I know it should be.
> 
> I am running the 2.6.16.21 kernel (SUSE Enterprise Desktop 10) on AMD64 dual core machines.

This kernel has a snapshot of the audit code that was in development at
the time. Can you please try with a newer upstream kernel and/or bug SUSE
to incorporate the current audit fixes in an update?

-Klaus