On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <[email protected]> wrote: > Hi Linda > > Thanks for the response, >>> $ mount /dev/hdc /dev/cdrom >>> mount: only root can do that > > $ strace mount > shows a few lines plus the following: > open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES > (Permission denied) > > Then the root window that has tail -f /var/log/audit/audit.log > does capture unsuccessful mount with exit=-13 > > I need /var/log/audit/audit.log to be able to capture the mount event > automatically without strace intervention.
On my system, I see no difference WRT audit.log between 'mount' & 'strace mount'; neither ends up calling the mount system call so neither generates an audit log. Cheers, peter > Betty > > ---------- Forwarded message ---------- > From: Betty Man <[email protected]> > Date: Fri, Jul 6, 2012 at 10:53 PM > Subject: capture mount event in /var/log/audit/audit.log > To: [email protected] > > > Hi Everyone, > > in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5 > > Have the following in the /etc/audit/audit.rules > ## non-privilege users using mount command. > -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k > export > -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export > > from a general user account > > $ mount /dev/hdc /dev/cdrom > mount: only root can do that > > but /var/log/audit/audit.log does not capture this event > > Any input is much appreciated! > > Thanks in advance > > Betty > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
