Not trapping 'symlink' system call
Steve Grubb
sgrubb at redhat.com
Wed Jun 6 19:25:52 UTC 2007
On Wednesday 06 June 2007 14:40, Eric Howard wrote:
> I have been tasked to generate test cases to validate the proper execution
> of particular syscall audit flags.
I think HP open sourced a test suite that tests the audit system:
http://sourceforge.net/projects/audit-test
> In most cases I have succeeded in triggering audit log entries. However, I
> have been unable to trigger audit entries for the 'symlink call' My test
> cases are generated by a shell script that execute commands to trigger the
> relevant calls. In my test case I created a hard-link and a soft-link
> using /bin/ln. Running strace indicated that the syscall was definitely
> made but 'ausearch -sc symlink' shows nothing. I am using
> audit-1.0.15-3.EL4. Any insight into this problem would be appreciated.
Looking at the syscalls, it should trigger on something like:
auditctl -a always,exit -S symlink
Or were you testing it another way?
-Steve
More information about the Linux-audit
mailing list