Basic audit test fails
Timothy R. Chavez
tinytim at us.ibm.com
Wed Mar 22 19:30:49 UTC 2006
On Wed, 2006-03-22 at 12:17 -0500, Steve Brueckner wrote:
> I'm having trouble getting started with audit on FC4.
>
> First, it appears I don't have file watch enabled in my kernel. Is file
> watch enabled in the FC5 kernel, or still only in RHEL?
Only in RHEL4 AFAIK. Not sure it's going to make FC5, but Steve could
better answer this.
>
> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl man page) but it doesn't seem to work:
>
> ------------>8------------
>
> [root at localhost ~]# auditctl -a exit,always -S open -F loginuid=600
Just curious, have you tried: -F uid=600 ??
<snip>
> audit.log:
> type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
> audit rule
>
> [develop at localhost ~]$ id
> uid=600(develop) gid=600(develop) groups=600(develop)
> context=user_u:system_r:unconfined_t
> [develop at localhost ~]$ echo foo >> temp
> audit.log:
> <NO OUTPUT TO AUDIT LOG>
>
> [root at localhost ~]# auditctl -s
> AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
> lost=0 backlog=0
>
> [root at localhost ~]# auditctl -l
> AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
> File system watches not supported
> audit.log:
> type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
> netlink message type=1009 for sclass=49
> type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
> success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Says here you loginuid (auid) is unsigned(-1), eh? Do you have the
proper PAM packages?
<snip>
> Thanks for any help,
>
> Steve Brueckner, ATC-NY
>
-tim
More information about the Linux-audit
mailing list