On Wed, Mar 22, 2006 at 01:41:21PM -0700, Stephen J. Smoogen wrote:
I have my notes correct). I am not sure that the below would work
without the file patches.
The functionality Steve B is inquiring about is unrelated to the
filesystem audit patches. If you use the 'uid' field instead of
'loginuid', you will see the records you expect, e.g.:
auditctl -a exit,always -S open -F uid=600
Filtering with 'uid' is based on the user actually executing the open
operation. Filtering with 'loginuid' (called auid in the audit log)
is based on the user id used to gain access to the system, although
they may be opening the file as another user.
Records will be logged in different situations based on your choice of
these filter fields. Of course, even if you don't want to filter
based on loginuid, it would be good to ensure it is being collected by
audit, as others have suggested.
> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl man page) but it doesn't seem to work:
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator