questions about auditing on a new RH 6 box
Steve Grubb
sgrubb at redhat.com
Fri Jan 14 19:12:41 UTC 2011
On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.
This is coming from:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F
auid=0 -F exit!=-11
Which says, audit mknod calls that are not successful and who's errno does not equal
EAGAIN for anyone that logged in as root.
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
auid=-1 -F exit!=-11
Which says audit mknod calls that are not successful, its a system event meaning not
coming from a user session, and the exit code is not EAGAIN.
#Ensure that failed attempts at using the following system calls are
audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F
exit!=-11
Which says audit mknod calls that are successful and the exit code is not EAGAIN.
Are you sure this is what you intended?
-Steve
More information about the Linux-audit
mailing list