Hi, I have found a weird behavior in auditd. File "/abc" does not exist.
audit.rules: -a always,exit -F arch=b32 -S open -S openat -a always,exit -F arch=b64 -S open -S openat A non-root user executes "echo > /abc", it doesn't get logged in audit.log. Same with "echo > /etc/abc" A non-root user executes "cat /abc", it gets logged in audit.log Since auditd is monitoring all the open and openat syscalls, ideally both the cases (i.e. read and write) should have be logged. After I execute "chmod a+w /" then "chmod a-w /", if a non-root user executes "echo > /abc", then it gets logged in audit.log. This looks like a bug to me. Kindly let me know if it's a bug or an intended feature. System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux Regards, Shourya Jaiswal
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
