capture mount event in /var/log/audit/audit.log
by Betty Man
Hi Everyone,
in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
-a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
from a general user account
$ mount /dev/hdc /dev/cdrom
mount: only root can do that
but /var/log/audit/audit.log does not capture this event
Any input is much appreciated!
Thanks in advance
Betty
12 years, 10 months
-F dir=/nfs/path ?
by Peter Moody
How does auditd perform on a rule like the following, assuming that
/home/ is an nfs mount?
-a exit,always -F arch=b64 -S open -F dir=/home/ -F a2&2 -F success=1
-C euid!=obj_uid -k
Does this become a watch rule (and to watch rules even work with nfs)?
Assuming that the mount map for /home/ is giant (several K entries),
does this run the risk of filling fsnotify (inotify?) watch lists?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 10 months
AUTO: Gavin Appleton is out of the office. (returning 09/07/2012)
by Gavin Appleton
I am out of the office until 09/07/2012.
Note: This is an automated response to your message "Linux-audit Digest,
Vol 94, Issue 1" sent on 4/7/2012 5:00:04 PM.
This is the only notification you will receive while this person is away.This e-mail is confidential and, if you are not the intended recipient, please return it to us and do not retain or disclose it. We filter and monitor e-mails in order to protect our system and the integrity, confidentiality and availability of e-mails. We cannot guarantee that e-mails are risk free and are not responsible for any related damage or unauthorised alteration of e-mails by third parties after sending.
For more information on Standard Life group, visit our website http://www.standardlife.com/
Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) and Standard Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life group includes Standard Life plc and its subsidiaries.
12 years, 10 months
auditing syscalls made 'by' an inode?
by Peter Moody
Is there anyway to audit syscalls made by a particular, not yet
running, application? For example, if I'm interested in seeing all
exec's by google-chrome, can I do something like the following?
auditctl -a exit,always -F arch=b64 -S execve -F success=1 -F
inode=inode-of-chrome
experimenting seems to indicate that will only tell me when
inode-of-chrome is exec'd, basically a watch rule.
The sort of inverse of this rule that got me thinking about this
initially was auditing a syscall and seeing if it was/wasn't called by
a particular program. For example, audting all bind() calls which
*aren't* made by chrome (a silly rule to be sure, but just thrown out
as a hypothetical)
If it's not possible to do this now, is there interest in adding this feature?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 10 months
