Last time it was working for chmod but this time when i am
trying to get log for open system call, i have made similar
changes in rules but did not get any log can you suggest
something. details are given below:

*rules*:

-a always,exit -F arch=b32 -S creat -S open -S openat -S
truncate -F exit=-EACCES -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S
truncate -F exit=-EPERM -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
truncate -F exit=-EACCES -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
truncate -F exit=-EPERM -F auid!=4294967295 -k access

*strace output*: file have been attached named as "output for
open sytem call.txt"

strace -o /root/open_output open w
/root/test01

*
*
*auditctl -l output*: file have been attached named "auditctl
-l output.txt"

file have been attached

On Fri, Jan 20, 2012 at 9:53 AM, bharat gupta
<bharatguptagg@gmail.com <mailto:bharatguptagg@gmail.com>
<mailto:bharatguptagg@gmail.com

<mailto:bharatguptagg@gmail.com>>> wrote:

Hi,
Finally we got the log by doing as you have told me to
remove
auid >=500. generated log is like :

time->Fri Jan 20 05:19:45 2012
type=PATH msg=audit(1327033185.331:1561983): item=0 name=(null)
inode=235577256 dev=00:06 mode=0140777 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1327033185.331:1561983): arch=c000003e
syscall=91 success =yes exit=0 a0=d a1=100 a2=0
a3=7fffa34b3740 items=1
ppid=83194 pid=1287823 auid =0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=216 co mm="mmdsm"
exe="/bin/ksh" key="perm_mod"

Thanks for helping so much.

On Thu, Jan 19, 2012 at 5:43 PM, Marcelo Cerri
<mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>

wrote:

So that's the problem :)

root user id is 0 and your rule will only match user
id's >=
500 (which is usually used for regular users).

The auid field is the original user id. So if you were
logged
in as a regular user and tried to run chmod using sudo then
your rule would worked.

Try to remove the -F auid>=500.

Regards,
Marcelo

On 01/19/2012 09:57 AM, bharat gupta wrote:

yes i have been login as root in base machine and then
login to virtual cluster.

On Thu, Jan 19, 2012 at 5:25 PM, Marcelo Cerri
<mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>> wrote:

I noticed that you are changing permission on a
file in
/root dir.

Are you running chmod as root? More precisily,
are you
logged in
directly as root?

On 01/19/2012 09:42 AM, bharat gupta wrote:

Q1. Is this the only rule that you have? What is
the output
for "auditctl -l"?

Ans. This is not the only rule i am running.
output
of auditcl
-l is given in attached file named
"auditctl-l_output.txt".

Q2. What is the architecture that you are
running on?
Ans. architecture detail is gien in attached
file named
"architecture.txt".

Q3. Which program are you using to changing
the file
permissions? Is it running as which user?
Ans. strace -o /root/temp/output_chmod chmod 777
/root/test02
and its output is given in attached
file named
"output_chmod.txt".

On Thu, Jan 19, 2012 at 4:45 PM, Marcelo Cerri
<mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>>> wrote:

Some questions:

1. Is this the only rule that you have?
What is
the output for
"auditctl -l"?

2. What is the architecture that you are
running on?

3. Which program are you using to
changing the file
permissions?
Is it running as which user?

Regards,
Marcelo

PS: I think that it's important to keep the
discussion in the
mailing list. Other people with the same
issue
can can
access this
thread later.

On 01/19/2012 08:16 AM, bharat gupta wrote:

If i will remove quotes then it will be
simmilar to the
previous rule which was not giving
any log.
what should i do to get logs.
Thanks

18, 2012 at 5:40 PM, Marcelo Cerri
<mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>

<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>
<mailto:mhcerri@linux.vnet.ibm.com
<mailto:mhcerri@linux.vnet.ibm.com>>>>>> wrote:

Just remove the quotes. It's only
necessary when running
auditctl
directly from bash.

Regards,
Marcelo

On 01/18/2012 09:10 AM, bharat
gupta wrote:

when i am using auid>=500 in quote
like u have
told -a
always,exit -F arch=b64 -S
chmod -S
fchmod -S
fchmodat -F
'auid>=500' -F auid!=4294967295 -k
perm_mod

it is giving error :
#service auditd restart
Stopping auditd: [
OK ]
Starting auditd: [
OK ]
-F unknown field: "auid
There was an error in line 102 of
/etc/audit/audit.rules

On Sat, Jan 14, 2012 at 1:34 AM,
Steve Grubb
<sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
<mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>>>>
wrote:

On Thursday, January 12, 2012
11:52:29 PM bharat
gupta wrote:
> I am using redhat 6, and trying to create logs for some
system
call using
> the rule given below:
>
> *-a always,exit -F arch=b64 -S chmod -S fchmod -S
fchmodat -F
auid>=500
> -F auid!=4294967295 -k perm_mod*

The rule works for me.

# auditctl -a always,exit -F
arch=b64 -S
chmod -S
fchmod -S
fchmodat -F
'auid>=500' -F
auid!=4294967295 -k
perm_mod

I don't have any asterisk and I
have single
quote marks
since bash
will
interpret the > as a
redirection.
But then
doing a chmod
command,
it does pick
up the fchmodat() syscall.

> After running command chmod i was not able to get any
log, but
when i used
> strace command i have seen that syscall have been called.
> I also checked that auditd service is running properly.

When you use auditctl -l,
is the
rule just
like you
expected?

LIST_RULES: exit,always
arch=3221225534
(0xc000003e)
auid>=500
(0x1f4) auid!=-1
(0xffffffff) key=perm_mod
syscall=chmod,fchmod,fchmodat

It should just work unless
you are
on a
distribution
that
does not
really
support auditing.

-Steve

-- Bharat Gupta
IIT -Roorkee

--
Linux-audit mailing list
Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>>>

https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>>>>>

https://www.redhat.com/mailman/listinfo/linux-audit

-- Bharat Gupta
IIT -Roorkee

-- Thanks,
Bharat Gupta
IIT -Roorkee

-- Thanks,
Bharat Gupta
IIT -Roorkee

-- Thanks,
Bharat Gupta
IIT -Roorkee

-- Thanks,
Bharat Gupta
IIT -Roorkee

--
Thanks,
Bharat Gupta
IIT -Roorkee