audit.log

Betty Man Fri, 06 Jul 2012 22:59:01 -0700

Hi Everyone,

 in RHEL 5.5    kernel  2.6.18-194.el5         audit-1.7.17-3.el5


Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
 -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export

from a general user account

$ mount /dev/hdc /dev/cdrom
mount: only root can do that

but /var/log/audit/audit.log   does not capture this event

Any input is much appreciated!

Thanks in advance

Betty

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

capture mount event in /var/log/audit/audit.log

Reply via email to