How to capture mount event in /var/log/audit/audit.log
Linda Knippers
linda.knippers at hp.com
Mon Jul 9 21:35:37 UTC 2012
Peter Moody wrote:
> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty at gmail.com> wrote:
>> Hi Linda
>>
>> Thanks for the response,
>>>> $ mount /dev/hdc /dev/cdrom
>>>> mount: only root can do that
>> $ strace mount
>> shows a few lines plus the following:
>> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>> (Permission denied)
>>
>> Then the root window that has tail -f /var/log/audit/audit.log
>> does capture unsuccessful mount with exit=-13
>>
>> I need /var/log/audit/audit.log to be able to capture the mount event
>> automatically without strace intervention.
>
> On my system, I see no difference WRT audit.log between 'mount' &
> 'strace mount'; neither ends up calling the mount system call so
> neither generates an audit log.
Same for me.
Betty, what does your audit record look like?
As it stands today with syscall auditing, I suspect you'll only get
an audit record for mount(2) if the mount command succeeds or if it
fails for a reason that the mount command itself isn't checking for.
-- ljk
>
> Cheers,
> peter
>
>> Betty
>>
>> ---------- Forwarded message ----------
>> From: Betty Man <man.bty at gmail.com>
>> Date: Fri, Jul 6, 2012 at 10:53 PM
>> Subject: capture mount event in /var/log/audit/audit.log
>> To: linux-audit at redhat.com
>>
>>
>> Hi Everyone,
>>
>> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
>>
>> Have the following in the /etc/audit/audit.rules
>> ## non-privilege users using mount command.
>> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>
>> from a general user account
>>
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
>>
>> but /var/log/audit/audit.log does not capture this event
>>
>> Any input is much appreciated!
>>
>> Thanks in advance
>>
>> Betty
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
More information about the Linux-audit
mailing list