Re: Current capabilities
On Wednesday 13 December 2006 18:16, Michael W Folsom wrote:
1) If someone tries to access an object (file, directory, program)
that
they don't have rights to the event needs to be recorded
-a always,exit -S open,opendir,execve -F exit=-13
This does it for 3 common syscalls. You can do it for any syscall you want.
You can use strace to figure out the syscalls you want.
2) if someone logs into a system and su's to another user or
series of
users their actions need to be traceable to the original login user's
id
It does this. There is a process attribute, loginuid, that keeps track of
this. The audit events have it as the auid field. We've already preconfigured
RHEL4/5 and FC4->rawhide to handle this.
-Steve