Just remove the quotes. It's only necessary when running auditctl
directly from bash.
Regards,
Marcelo
On 01/18/2012 09:10 AM, bharat gupta wrote:
when i am using auid>=500 in quote like u have told -a
always,exit -F
arch=b64 -S chmod -S fchmod -S fchmodat -F
'auid>=500' -F auid!=4294967295 -k perm_mod
it is giving error :
#service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
-F unknown field: "auid
There was an error in line 102 of /etc/audit/audit.rules
On Sat, Jan 14, 2012 at 1:34 AM, Steve Grubb <sgrubb(a)redhat.com
<mailto:sgrubb@redhat.com>> wrote:
On Thursday, January 12, 2012 11:52:29 PM bharat gupta wrote:
> I am using redhat 6, and trying to create logs for some system
call using
> the rule given below:
>
> *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
auid>=500
> -F auid!=4294967295 -k perm_mod*
The rule works for me.
# auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S
fchmodat -F
'auid>=500' -F auid!=4294967295 -k perm_mod
I don't have any asterisk and I have single quote marks since bash
will
interpret the > as a redirection. But then doing a chmod command,
it does pick
up the fchmodat() syscall.
> After running command chmod i was not able to get any log, but
when i used
> strace command i have seen that syscall have been called.
> I also checked that auditd service is running properly.
When you use auditctl -l, is the rule just like you expected?
LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500
(0x1f4) auid!=-1
(0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
It should just work unless you are on a distribution that does not
really
support auditing.
-Steve
--
Bharat Gupta
IIT -Roorkee
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit