linux auditd: Not getting log for chmod syscall
bharat gupta
bharatguptagg at gmail.com
Wed Jan 18 11:10:02 UTC 2012
when i am using auid>=500 in quote like u have told -a always,exit -F
arch=b64 -S chmod -S fchmod -S fchmodat -F
'auid>=500' -F auid!=4294967295 -k perm_mod
it is giving error :
#service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
-F unknown field: "auid
There was an error in line 102 of /etc/audit/audit.rules
On Sat, Jan 14, 2012 at 1:34 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, January 12, 2012 11:52:29 PM bharat gupta wrote:
> > I am using redhat 6, and trying to create logs for some system call using
> > the rule given below:
> >
> > *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500
> > -F auid!=4294967295 -k perm_mod*
>
> The rule works for me.
>
> # auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
> 'auid>=500' -F auid!=4294967295 -k perm_mod
>
> I don't have any asterisk and I have single quote marks since bash will
> interpret the > as a redirection. But then doing a chmod command, it does
> pick
> up the fchmodat() syscall.
>
>
> > After running command chmod i was not able to get any log, but when i
> used
> > strace command i have seen that syscall have been called.
> > I also checked that auditd service is running properly.
>
> When you use auditctl -l, is the rule just like you expected?
>
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4)
> auid!=-1
> (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
>
> It should just work unless you are on a distribution that does not really
> support auditing.
>
> -Steve
>
--
Bharat Gupta
IIT -Roorkee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20120118/fd9a6c23/attachment.htm>
More information about the Linux-audit
mailing list