Current capabilities
Steve Grubb
sgrubb at redhat.com
Wed Dec 13 23:41:16 UTC 2006
On Wednesday 13 December 2006 18:16, Michael W Folsom wrote:
> 1) If someone tries to access an object (file, directory, program) that
> they don't have rights to the event needs to be recorded
-a always,exit -S open,opendir,execve -F exit=-13
This does it for 3 common syscalls. You can do it for any syscall you want.
You can use strace to figure out the syscalls you want.
> 2) if someone logs into a system and su's to another user or series of
> users their actions need to be traceable to the original login user's
> id
It does this. There is a process attribute, loginuid, that keeps track of
this. The audit events have it as the auid field. We've already preconfigured
RHEL4/5 and FC4->rawhide to handle this.
-Steve
More information about the Linux-audit
mailing list