New bug in Audit
Ariel Silver
arielsilver77 at gmail.com
Thu Jan 5 09:46:06 UTC 2023
I found the following bug:
OS version = Red Hat Enterprise Linux release 8.6 (Ootpa)
Kernel version = 4.18.0-425.3.1.el8.x86_64
auditctl version = 3.0.7
Scenario 1:
When I load the configurations :
*auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=1*
And run the command:
*cp /tmp/1 /tmp/2*
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.
Scenario 2:
When I load the configurations :
*auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=0*
And run the command:
*cp /tmp/1 /tmp/2*
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.
Scenario 3:
When I load the configurations :
*auditctl -a always,exit -S all -F dir=/ -F perm=w*
And run the command:
*cp /tmp/1 /tmp/2*
Yes new log is created in: /var/log/audit/audit.log
File was indeed copied.
Conclusion:
Only when I don't use the -F success new logs are created.
Why is that?
Any alternative ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230105/a3ec22b6/attachment.htm>
More information about the Linux-audit
mailing list