capture mount event in /var/log/audit/audit.log
by Betty Man
Hi Everyone,
in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
-a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
from a general user account
$ mount /dev/hdc /dev/cdrom
mount: only root can do that
but /var/log/audit/audit.log does not capture this event
Any input is much appreciated!
Thanks in advance
Betty
12 years, 4 months
-F dir=/nfs/path ?
by Peter Moody
How does auditd perform on a rule like the following, assuming that
/home/ is an nfs mount?
-a exit,always -F arch=b64 -S open -F dir=/home/ -F a2&2 -F success=1
-C euid!=obj_uid -k
Does this become a watch rule (and to watch rules even work with nfs)?
Assuming that the mount map for /home/ is giant (several K entries),
does this run the risk of filling fsnotify (inotify?) watch lists?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 4 months
AUTO: Gavin Appleton is out of the office. (returning 09/07/2012)
by Gavin Appleton
I am out of the office until 09/07/2012.
Note: This is an automated response to your message "Linux-audit Digest,
Vol 94, Issue 1" sent on 4/7/2012 5:00:04 PM.
This is the only notification you will receive while this person is away.This e-mail is confidential and, if you are not the intended recipient, please return it to us and do not retain or disclose it. We filter and monitor e-mails in order to protect our system and the integrity, confidentiality and availability of e-mails. We cannot guarantee that e-mails are risk free and are not responsible for any related damage or unauthorised alteration of e-mails by third parties after sending.
For more information on Standard Life group, visit our website http://www.standardlife.com/
Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) and Standard Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life group includes Standard Life plc and its subsidiaries.
12 years, 4 months
auditing syscalls made 'by' an inode?
by Peter Moody
Is there anyway to audit syscalls made by a particular, not yet
running, application? For example, if I'm interested in seeing all
exec's by google-chrome, can I do something like the following?
auditctl -a exit,always -F arch=b64 -S execve -F success=1 -F
inode=inode-of-chrome
experimenting seems to indicate that will only tell me when
inode-of-chrome is exec'd, basically a watch rule.
The sort of inverse of this rule that got me thinking about this
initially was auditing a syscall and seeing if it was/wasn't called by
a particular program. For example, audting all bind() calls which
*aren't* made by chrome (a silly rule to be sure, but just thrown out
as a hypothetical)
If it's not possible to do this now, is there interest in adding this feature?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 4 months
