Why doesn't chown produce an event
Evans, Robert B.
Bob.Evans at jhuapl.edu
Wed May 2 15:45:08 UTC 2007
Hmm... The documentation says that it is best to combine system calls on
one line.
And in fact the sample audit.rules for NISPOM coverage posted by this
site have the system calls on one line as well.
Bob
-----Original Message-----
From: Marcus Meissner [mailto:meissner at suse.de]
Sent: Wednesday, May 02, 2007 11:15 AM
To: Evans, Robert B.
Cc: linux-audit at redhat.com
Subject: Re: Why doesn't chown produce an event
On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
> Greetings,
>
> I have the following rule in audit.rules
>
> -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F
> key=mod
>
> If I log in as a typical user and try "chown bob /etc/shadow" I don't
> get an event produced, however if I try "chmod 666 /etc/shadow" I do.
>
> What am I missing here?
>
> Thanks!
You need to give 1 systemcall per line I guess.
-a exit,always -S chmod -F success!-1 -F key=mod -a exit,always -S chown
-F success!-1 -F key=mod -a exit,always -S lchown -F success!-1 -F
key=mod -a exit,always -S fchown -F success!-1 -F key=mod
Ciao, Marcus
More information about the Linux-audit
mailing list