how to log read/write access using auditd?
Hi,
I am using ubuntu 8.10.
kernel version: 2.6.27-7
I have added the rule.
root@bbb-laptop:/home/bbb# auditctl -l
LIST_RULES: exit,always watch=/home/bbb/hihi perm=rwa key=hihi
But no read/write action is recorded after doing cat. Only open syscall is recorded.
root@bbb-laptop:/home/bbb# cat hihi
Here's the audit log:
type=PATH msg=audit(1234807352.706:7284): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1234807563.618:7285): arch=40000003 syscall=5 success=yes exit=3 a0=bfb2a709 a1=8000 a2=0 a3=8000 items=1 ppid=7267 pid=26568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="cat" exe="/bin/cat" key="hihi"
type=CWD msg=audit(1234807563.618:7285): cwd="/home/bbb"
type=PATH msg=audit(1234807563.618:7285): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00
Below is my auditd configuration file:
root@bbb-laptop:/home/bbb# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Last edited by neversetsun; 02-16-2009 at 12:18 PM.
|