Re: Seeking auditd help
On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote:
Any pointers for troubleshooting auditd missing events for file
reads,
edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5?
http://security.stackexchange.com/q/89009/56827
The -w notation is the same as
-a always,exit -F path=XXX -F perms=rwa
What this does is audit the following functions defined in the syscall
classifiers
:
http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h
You are not going to get a hit for each and every read system call because
read is not audited.
-Steve