Re: Fwd: linux auditd: Not getting log for chmod syscall
On Tuesday, January 24, 2012 10:30:41 AM bharat gupta wrote:
> Last time it was working for chmod but this time when i
am
> trying to get log for open system call, i have made similar
> changes in rules but did not get any log can you suggest
> something. details are given below:
The rules below only record events where access is denied based on permission
problems.
> *rules*:
>
> -a always,exit -F arch=b32 -S creat -S open -S openat -S
> truncate -F exit=-EACCES -F auid!=4294967295 -k access
> -a always,exit -F arch=b32 -S creat -S open -S openat -S
> truncate -F exit=-EPERM -F auid!=4294967295 -k access
> -a always,exit -F arch=b64 -S creat -S open -S openat -S
> truncate -F exit=-EACCES -F auid!=4294967295 -k access
> -a always,exit -F arch=b64 -S creat -S open -S openat -S
> truncate -F exit=-EPERM -F auid!=4294967295 -k access
>
> *strace output*: file have been attached named as "output for
> open sytem call.txt"
>
>
> strace -o /root/open_output open w
> /root/test01
I don't see any strace. However, if open is succeeding, the above rules would
not catch it. Or if its failing for any reason except a permission problem such
as ENOEXIST the rules will not catch it.
-Steve