linux audit: not getting log for chmod
Hi,
I am using redhat 6, and trying to create logs for some system call using
the rule given below:
*-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod*
-> After running command chmod i was not able to get any log, but when i
used strace command i have seen that syscall have been called.
-> I also checked that auditd service is running properly.
-> May you guide me why i am not able to get any log message.
-> I also checked by writting rule for 32 bit, but problem still not
resolved.
->When i have run the command "auditctl -l |grep chmod" i got the output as
given below:
LIST_RULES: exit,always arch=1073741827 (0x40000003) auid>=500 (0x1f4)
auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4)
auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
-> when i am using strace command it is showing that "fchmodat" system call
have been called and i have included that in my rule but still i am not
getting any log. strace command and its output is given below:
*Command* : strace -o /root/bharat/chmodSystemCallOutput.txt chmod 765
/root/bharat/test02
*Output*:
execve("/bin/chmod", ["chmod", "765",
"/root/bharat/test02"], [/* 31 vars
*/]) = 0
brk(0) = 0xdbe000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aaa2000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=70036, ...}) = 0
mmap(NULL, 70036, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa36aa90000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\355\1\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1907344, ...}) = 0
mmap(NULL, 3737768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fa36a4f3000
mprotect(0x7fa36a67a000, 2097152, PROT_NONE) = 0
mmap(0x7fa36a87a000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fa36a87a000
mmap(0x7fa36a87f000, 18600, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa36a87f000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8d000
arch_prctl(ARCH_SET_FS, 0x7fa36aa8e700) = 0
mprotect(0x7fa36a87a000, 16384, PROT_READ) = 0
mprotect(0x7fa36aaa3000, 4096, PROT_READ) = 0
munmap(0x7fa36aa90000, 70036) = 0
brk(0) = 0xdbe000
brk(0xddf000) = 0xddf000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=99158752, ...}) = 0
mmap(NULL, 99158752, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa364662000
close(3) = 0
umask(0) = 077
stat("/root/bharat/test02", {st_mode=S_IFREG|0777, st_size=18, ...}) = 0
fchmodat(AT_FDCWD, "/root/bharat/test02", 0765) = 0
close(1) = 0
close(2) = 0
exit_group(0)
--
Bharat Gupta
IIT -Roorkee
Attachments:
- attachment.html (text/html — 4.6 KB)