LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-16-2009, 01:08 PM   #1
neversetsun
LQ Newbie
 
Registered: Feb 2009
Posts: 5

Rep: Reputation: 0
how to log read/write access using auditd?


Hi,
I am using ubuntu 8.10.
kernel version: 2.6.27-7

I have added the rule.

root@bbb-laptop:/home/bbb# auditctl -l
LIST_RULES: exit,always watch=/home/bbb/hihi perm=rwa key=hihi

But no read/write action is recorded after doing cat. Only open syscall is recorded.

root@bbb-laptop:/home/bbb# cat hihi

Here's the audit log:

type=PATH msg=audit(1234807352.706:7284): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1234807563.618:7285): arch=40000003 syscall=5 success=yes exit=3 a0=bfb2a709 a1=8000 a2=0 a3=8000 items=1 ppid=7267 pid=26568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="cat" exe="/bin/cat" key="hihi"
type=CWD msg=audit(1234807563.618:7285): cwd="/home/bbb"
type=PATH msg=audit(1234807563.618:7285): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00



Below is my auditd configuration file:

root@bbb-laptop:/home/bbb# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

Last edited by neversetsun; 02-16-2009 at 01:18 PM.
 
Old 02-17-2009, 06:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by neversetsun View Post
But no read/write action is recorded after doing cat. Only open syscall is recorded.
Quoting 'man 8 auditctl': "These permissions are not the standard filepermissions, but rather the kind of syscall that would do this kind of thing. The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested.".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No write or read access to anything I mount Romanus81 Slackware 7 04-13-2008 08:19 AM
read/write access for ttys0 pete_bogg Linux - General 1 08-15-2006 01:31 AM
SAMBA read write access desertViking Linux - Newbie 2 12-05-2005 03:06 PM
read write access phoenix_wolf Linux - Newbie 2 12-05-2004 10:35 AM
Read/Write access to a partition? Boggit Linux - Newbie 5 04-04-2004 04:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration