Peter Moody wrote: > On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <[email protected]> wrote: >> Hi Linda >> >> Thanks for the response, >>>> $ mount /dev/hdc /dev/cdrom >>>> mount: only root can do that >> $ strace mount >> shows a few lines plus the following: >> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES >> (Permission denied) >> >> Then the root window that has tail -f /var/log/audit/audit.log >> does capture unsuccessful mount with exit=-13 >> >> I need /var/log/audit/audit.log to be able to capture the mount event >> automatically without strace intervention. > > On my system, I see no difference WRT audit.log between 'mount' & > 'strace mount'; neither ends up calling the mount system call so > neither generates an audit log.
Same for me. Betty, what does your audit record look like? As it stands today with syscall auditing, I suspect you'll only get an audit record for mount(2) if the mount command succeeds or if it fails for a reason that the mount command itself isn't checking for. -- ljk > > Cheers, > peter > >> Betty >> >> ---------- Forwarded message ---------- >> From: Betty Man <[email protected]> >> Date: Fri, Jul 6, 2012 at 10:53 PM >> Subject: capture mount event in /var/log/audit/audit.log >> To: [email protected] >> >> >> Hi Everyone, >> >> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5 >> >> Have the following in the /etc/audit/audit.rules >> ## non-privilege users using mount command. >> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k >> export >> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k >> export >> >> from a general user account >> >> $ mount /dev/hdc /dev/cdrom >> mount: only root can do that >> >> but /var/log/audit/audit.log does not capture this event >> >> Any input is much appreciated! >> >> Thanks in advance >> >> Betty >> >> -- >> Linux-audit mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/linux-audit > > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
