How to capture mount event in /var/log/audit/audit.log

Giang Nguyen cauthu at gmail.com
Mon Jul 9 21:57:34 UTC 2012 

It's probably because the mount(8) program fails -- apparently because
you are not root -- before it gets to call the mount(2) syscall. That
is why you don't see the mount syscall in either strace output or
audit log. Try running your mount command as root.

On Mon, Jul 9, 2012 at 5:35 PM, Linda Knippers <linda.knippers at hp.com> wrote:
> Peter Moody wrote:
>> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty at gmail.com> wrote:
>>> Hi Linda
>>>
>>> Thanks for the response,
>>>>> $ mount /dev/hdc /dev/cdrom
>>>>> mount: only root can do that
>>> $ strace mount
>>> shows a few lines plus the following:
>>>  open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>>> (Permission denied)
>>>
>>> Then the root window  that has tail -f /var/log/audit/audit.log
>>> does capture unsuccessful mount with exit=-13
>>>
>>> I need /var/log/audit/audit.log to be able to capture the mount event
>>> automatically  without strace intervention.
>>
>> On my system, I see no difference WRT audit.log between 'mount' &
>> 'strace mount'; neither ends up calling the mount system call so
>> neither generates an audit log.
>
> Same for me.
>
> Betty, what does your audit record look like?
>
> As it stands today with syscall auditing, I suspect you'll only get
> an audit record for mount(2) if the mount command succeeds or if it
> fails for a reason that the mount command itself isn't checking for.
>
> -- ljk
>>
>> Cheers,
>> peter
>>
>>> Betty
>>>
>>> ---------- Forwarded message ----------
>>> From: Betty Man <man.bty at gmail.com>
>>> Date: Fri, Jul 6, 2012 at 10:53 PM
>>> Subject: capture mount event in /var/log/audit/audit.log
>>> To: linux-audit at redhat.com
>>>
>>>
>>> Hi Everyone,
>>>
>>>  in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5
>>>
>>> Have the following in the /etc/audit/audit.rules
>>> ## non-privilege users using mount command.
>>>  -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
>>>
>>> from a general user account
>>>
>>> $ mount /dev/hdc /dev/cdrom
>>> mount: only root can do that
>>>
>>> but /var/log/audit/audit.log   does not capture this event
>>>
>>> Any input is much appreciated!
>>>
>>> Thanks in advance
>>>
>>> Betty
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list