Betty Man wrote: > Hi Everyone, > > in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5 > > Have the following in the /etc/audit/audit.rules > ## non-privilege users using mount command. > -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k > export > -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
This audits the mount system call, rather than the mount command. > > from a general user account > > $ mount /dev/hdc /dev/cdrom > mount: only root can do that > > but /var/log/audit/audit.log does not capture this event > > Any input is much appreciated! My guess is that the mount command is doing its own check and is failing before it attempts the mount system call. If you run $ strace mount /dev/hdc /dev/cdrom you'll see the system calls that are executed. I suspect there is no mount system call in the output. -- ljk > > Thanks in advance > > Betty > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
