Example
Steve Grubb
sgrubb at redhat.com
Wed Sep 24 11:34:20 UTC 2008
On Tuesday 23 September 2008 12:18:27 Fulda, Paul (Space Technology) wrote:
> Can someone give me an example of how to audit the "date" command in the
> audit.rules file.
The "watch" style commands will not work. The audit system works at the
syscall level. So, under the hood, the audit system will place a rule on
execve, or open on your behalf. Neither of these are the actual syscall that
fails.
> I would like for it to report only failures for a user using the command.
> Root using the command would report nothing. I can get this working for file
> watches but not for executables using
strace is your friend. I ran a command that would fail and see something like
this:
write(3, "strace: exec: Permission denied\n"..., 32strace: exec: Permission
denied
) = 32
close(3) = 0
munmap(0x7f17fc707000, 4096) = 0
exit_group(1)
So, we should be able to place a rule on exit_group.
-a exit,always -S exit_group -F a0=1 -F auid>=500
But I'm really not sure this will give you good, quality results. You can
experiment and see. But the audit system is at the syscall level and not the
application level and that should always be taken into account.
-Steve
More information about the Linux-audit
mailing list