auditd/auditctl SLED10
Lane Williams
lane.williams at jhuapl.edu
Fri Jul 21 12:14:45 UTC 2006
Yeah, I had tried that. There is an access syscall. From the looks of
things the audit version that comes with SuSE has a few problems. I
know in Red Hat it seems to work as I need it to. SuSE is also using
Apparmor in place of SELinux, or at least they make it appear that way.
The audit deamon also does not support file system watches.
Seems the only success=no returns that I receive are when the file does
not exist. I may also have to add more to my filter in order to get
what I want. Unfortunately I am stuck with SuSE and will have to
continue troubleshooting until the patches come out.
Thanks,
Lane
On Thu, 2006-07-20 at 16:08 -0400, Linda Knippers wrote:
> There was a bug at one point where the '-F success=0' didn't
> work but '-F success!=1' did work. You might want to try that
> as a workaround. You might also try an strace on whatever program
> you're using to test with to make sure there there isn't an access()
> system call before the open. If there is, then you'll want to audit
> access failures.
>
> -- ljk
>
> Lane Williams wrote:
> > I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
> > anyone could give me an idea of how to log when someone tries to open a
> > file which they do not have access to.
> >
> > I've tried the example
> >
> > auditctl -a exit,always -S open -F success=0
> >
> > When I do this I get nothing in the logs. But if I add the following
> >
> > auditctl -a entry,always -S open
> >
> > I get all of the entries and the open failures when there is "No such
> > file or directory", but no access violations...
> >
> > Thanks for any help,
> >
> > Lane
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list