Re: [PATCH] get dev value for inode audit records - take 3
* Erich Schubert (erich.schubert(a)gmail.com) wrote:
I tried to have it do what I want, but I wasn't successful.
A typical log line looks like this:
type=KERNEL msg=audit(1109729446.695:310443): item=0
name=/home/erich/.esd_auth inode=1589515 dev=03:05 mode=0100600
uid=1000 gid=1000 rdev=00:00
Now I want to log only accesses to my IDE disk, so I tried
/usr/local/sbin/auditctl -a entry,always -S open -F devmajor=3
devmajor is an exit filter. So try something like:
/usr/local/sbin/auditctl -a entry,possible -S open
/usr/local/sbin/auditctl -a exit,always -S open -F devmajor=3
and let me know if that works?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net