Seeking auditd help
Steve Grubb
sgrubb at redhat.com
Mon May 11 19:52:47 UTC 2015
On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote:
> Any pointers for troubleshooting auditd missing events for file reads,
> edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5?
>
> http://security.stackexchange.com/q/89009/56827
The -w notation is the same as
-a always,exit -F path=XXX -F perms=rwa
What this does is audit the following functions defined in the syscall
classifiers
:
http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h
You are not going to get a hit for each and every read system call because
read is not audited.
-Steve
More information about the Linux-audit
mailing list