Re: capture mount event in /var/log/audit/audit.log
Betty Man wrote:
Hi Everyone,
in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
-a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
This audits the mount system call, rather than the mount command.
from a general user account
$ mount /dev/hdc /dev/cdrom
mount: only root can do that
but /var/log/audit/audit.log does not capture this event
Any input is much appreciated!
My guess is that the mount command is doing its own check and is
failing before it attempts the mount system call. If you run
$ strace mount /dev/hdc /dev/cdrom
you'll see the system calls that are executed.
I suspect there is no mount system call in the output.
-- ljk
Thanks in advance
Betty
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit