It's probably because the mount(8) program fails -- apparently because
you are not root -- before it gets to call the mount(2) syscall. That
is why you don't see the mount syscall in either strace output or
audit log. Try running your mount command as root.
On Mon, Jul 9, 2012 at 5:35 PM, Linda Knippers <linda.knippers(a)hp.com> wrote:
Peter Moody wrote:
> On Mon, Jul 9, 2012 at 2:21 PM, Betty Man <man.bty(a)gmail.com> wrote:
>> Hi Linda
>>
>> Thanks for the response,
>>>> $ mount /dev/hdc /dev/cdrom
>>>> mount: only root can do that
>> $ strace mount
>> shows a few lines plus the following:
>> open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
>> (Permission denied)
>>
>> Then the root window that has tail -f /var/log/audit/audit.log
>> does capture unsuccessful mount with exit=-13
>>
>> I need /var/log/audit/audit.log to be able to capture the mount event
>> automatically without strace intervention.
>
> On my system, I see no difference WRT audit.log between 'mount' &
> 'strace mount'; neither ends up calling the mount system call so
> neither generates an audit log.
Same for me.
Betty, what does your audit record look like?
As it stands today with syscall auditing, I suspect you'll only get
an audit record for mount(2) if the mount command succeeds or if it
fails for a reason that the mount command itself isn't checking for.
-- ljk
>
> Cheers,
> peter
>
>> Betty
>>
>> ---------- Forwarded message ----------
>> From: Betty Man <man.bty(a)gmail.com>
>> Date: Fri, Jul 6, 2012 at 10:53 PM
>> Subject: capture mount event in /var/log/audit/audit.log
>> To: linux-audit(a)redhat.com
>>
>>
>> Hi Everyone,
>>
>> in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
>>
>> Have the following in the /etc/audit/audit.rules
>> ## non-privilege users using mount command.
>> -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
export
>> -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k
export
>>
>> from a general user account
>>
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
>>
>> but /var/log/audit/audit.log does not capture this event
>>
>> Any input is much appreciated!
>>
>> Thanks in advance
>>
>> Betty
>>
>> --
>> Linux-audit mailing list
>> Linux-audit(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit