Basic audit test fails
Steve Brueckner
steve at atc-nycorp.com
Wed Mar 22 17:17:15 UTC 2006
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Second, I tried a basic test to audit files opened by a specific user (per
the auditctl man page) but it doesn't seem to work:
------------>8------------
[root at localhost ~]# auditctl -a exit,always -S open -F loginuid=600
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
[develop at localhost ~]$ id
uid=600(develop) gid=600(develop) groups=600(develop)
context=user_u:system_r:unconfined_t
[develop at localhost ~]$ echo foo >> temp
audit.log:
<NO OUTPUT TO AUDIT LOG>
[root at localhost ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
lost=0 backlog=0
[root at localhost ~]# auditctl -l
AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
File system watches not supported
audit.log:
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1142975791.439:6635): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec
a2=10 a3=0 a4=bfb8fd08 a5=c
[root at localhost ~]# uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005
i686 i686 i386 GNU/Linux
[root at localhost ~]# getenforce
Enforcing
------------8<------------
Should this experiment have produced any output to audit.log when the user
wrote to a file? If not, why not? If so, could the stuff being logged
during the rules listing indicate a problem, or are those "unrecognized
netlink messages" normal?
Thanks for any help,
Steve Brueckner, ATC-NY
More information about the Linux-audit
mailing list