Not trapping 'symlink' system call
Eric Howard
pt3vjld02 at sneakemail.com
Wed Jun 6 19:56:49 UTC 2007
Ah, I see my mistake. I was using 'possible' instead of 'always'. Thanks for your help!
-- Eric --
Steve Grubb sgrubb-at-redhat.com |redhat-audit-mailing-list| wrote:
> On Wednesday 06 June 2007 14:40, Eric Howard wrote:
>> I have been tasked to generate test cases to validate the proper execution
>> of particular syscall audit flags.
>
> I think HP open sourced a test suite that tests the audit system:
> http://sourceforge.net/projects/audit-test
>
>> In most cases I have succeeded in triggering audit log entries. However, I
>> have been unable to trigger audit entries for the 'symlink call' My test
>> cases are generated by a shell script that execute commands to trigger the
>> relevant calls. In my test case I created a hard-link and a soft-link
>> using /bin/ln. Running strace indicated that the syscall was definitely
>> made but 'ausearch -sc symlink' shows nothing. I am using
>> audit-1.0.15-3.EL4. Any insight into this problem would be appreciated.
>
> Looking at the syscalls, it should trigger on something like:
>
> auditctl -a always,exit -S symlink
>
> Or were you testing it another way?
>
> -Steve
>
--------------------------------------
Protect yourself from spam,
use http://sneakemail.com
More information about the Linux-audit
mailing list