On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote: > > Last time it was working for chmod but this time when i am > > trying to get log for open system call, i have made similar > > changes in rules but did not get any log can you suggest > > something. details are given below:
The rules below only record events where access is denied based on permission problems. > > *rules*: > > > > -a always,exit -F arch=b32 -S creat -S open -S openat -S > > truncate -F exit=-EACCES -F auid!=4294967295 -k access > > -a always,exit -F arch=b32 -S creat -S open -S openat -S > > truncate -F exit=-EPERM -F auid!=4294967295 -k access > > -a always,exit -F arch=b64 -S creat -S open -S openat -S > > truncate -F exit=-EACCES -F auid!=4294967295 -k access > > -a always,exit -F arch=b64 -S creat -S open -S openat -S > > truncate -F exit=-EPERM -F auid!=4294967295 -k access > > > > *strace output*: file have been attached named as "output for > > open sytem call.txt" > > > > > > strace -o /root/open_output open w > > /root/test01 I don't see any strace. However, if open is succeeding, the above rules would not catch it. Or if its failing for any reason except a permission problem such as ENOEXIST the rules will not catch it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
