I just tried the latest kernel and audit. I am seeing some problems
regarding missing watch records. the kernel also seems to hang!
I tried twice, and got the same results. also after doing a mv on the
file, the system hangs (all windows hang, and I have to force reboot it).
Here is what I tried:
[root@comp1 objident]# auditctl -w /tmp/file1 -k file1-key
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file1, filterkey=file1-key,
perms=0, valid=1
[root@comp1 objident]# touch /tmp/file1
[root@comp1 objident]# auditctl -w /tmp/file2 -k file2-key
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file2, filterkey=file2-key,
perms=0, valid=1
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file1, filterkey=file1-key,
perms=0, valid=1
[root@comp1 objident]# touch /tmp/file2
[root@comp1 objident]# echo "test" >> /tmp/file1
[root@comp1 objident]# cat /tmp/file1
test
[root@comp1 objident]# echo "test file2" >> /tmp/file2
[root@comp1 objident]# cat /tmp/file2
test file2
[root@comp1 objident]# mv /tmp/file1 /tmp/foo
mv: overwrite `/tmp/foo'? y
I only see two records corresponding with the touch on both watched
files. The records also seem to be in different order than before
(backwards):
type=DAEMON msg=audit(1115727149.996:751) auditd start, ver=0.7.4,
format=raw, uid=514, auditd pid=2795
Init complete, audit pid set to: 2795
type=KERNEL msg=audit(1115727150.199:0): audit_enabled=1 old=1 by auid 514
type=KERNEL msg=audit(1115727176.862:367655): syscall=5 arch=40000003
success=yes exit=3 a0=bff21c18 a1=8941 a2=1b6 a3=8941 items=1 pid=2798
loginuid=514 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1115727176.862:367655): auxitem=1 watch="file1"
filterkey=file1-key perm=0 perm_mask=2 inode=2224526 inode_uid=0
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1115727176.862:367655): item=0 name="/tmp/file1"
inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1115727221.850:371646): syscall=5 arch=40000003
success=yes exit=3 a0=bffd1c18 a1=8941 a2=1b6 a3=8941 items=1 pid=2800
loginuid=514 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1115727221.850:371646): auxitem=1 watch="file2"
filterkey=file2-key perm=0 perm_mask=2 inode=2224528 inode_uid=0
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1115727221.850:371646): item=0 name="/tmp/file2"
inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00
- loulwa
Show replies by date
Loulwa Salem wrote:
I just tried the latest kernel and audit. I am seeing some problems
regarding missing watch records. the kernel also seems to hang!
I tried twice, and got the same results. also after doing a mv on the
file, the system hangs (all windows hang, and I have to force reboot it).
Forgot to mention ... I am running on i386
# uname -a
Linux
comp1.ltc.austin.ibm.com 2.6.9-5.0.3.EL.audit.34 #1 Tue May 10
11:59:50 EDT 2005 i686 i686 i386 GNU/Linux
- loulwa