On Thu, Aug 03, 2006 at 09:00:25AM -0400, Williams, P. Lane wrote: > I get .... > > ---- > type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 > syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 > a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users > euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users > comm=more exe=/bin/more > ----
This is from "ausearch -i"? The raw audit log shouldn't have the "(Permission denied)" part in it, but apart from that it seems that the kernel is auditing things correctly and this is unrelated to the bug I had referred to. > so I only get permission denied entries. Auditctl allows me to create the > rule, and it list the rule. But nothing is logged, when I know it should be. > > I am running the 2.6.16.21 kernel (SUSE Enterprise Desktop 10) on AMD64 dual > core machines. This kernel has a snapshot of the audit code that was in development at the time. Can you please try with a newer upstream kernel and/or bug SUSE to incorporate the current audit fixes in an update? -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
