Re: Basic audit test fails
On Wed, 2006-03-22 at 12:17 -0500, Steve Brueckner wrote:
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Only in RHEL4 AFAIK. Not sure it's going to make FC5, but Steve could
better answer this.
Second, I tried a basic test to audit files opened by a specific user (per
the auditctl man page) but it doesn't seem to work:
------------>8------------
[root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600
Just curious, have you tried: -F uid=600 ??
<snip>
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
[develop@localhost ~]$ id
uid=600(develop) gid=600(develop) groups=600(develop)
context=user_u:system_r:unconfined_t
[develop@localhost ~]$ echo foo >> temp
audit.log:
<NO OUTPUT TO AUDIT LOG>
[root@localhost ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
lost=0 backlog=0
[root@localhost ~]# auditctl -l
AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
File system watches not supported
audit.log:
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Says here you loginuid (auid) is unsigned(-1), eh? Do you have the
proper PAM packages?
<snip>
Thanks for any help,
Steve Brueckner, ATC-NY
-tim