-->

2013-10-15

memo: audit 

$ sudo emerge --oneshot -avt sys-process/audit


$ sudo auditctl -l
Error - audit support not in kernel
Cannot open netlink audit socket


$ diff /etc/kernels/kernel-config-x86_64-3.4.6{3,6}-gentoo
3c3
< # Linux/x86 3.4.63-gentoo Kernel Configuration
---
> # Linux/x86 3.4.66-gentoo Kernel Configuration
95c95,99
< # CONFIG_AUDIT is not set
---
> CONFIG_AUDIT=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_WATCH=y
> CONFIG_AUDIT_TREE=y
> CONFIG_AUDIT_LOGINUID_IMMUTABLE=y


$ sudo auditctl -l
No rules


$ sudo auditctl -w /mnt/hgfs/share/


$ cd /mnt/hgfs/share/


$ sudo tail -n0 -f /var/log/audit/audit.log


$ ll 1.txt


$ sudo tail -n0 -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1381841035.653:30): arch=c000003e syscall=191 success=no exit=-95 a0=7fffff313e35 a1=7f585a90627f a2=0 a3=0 items=1 ppid=10513 pid=10662 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=5 comm="ls" exe="/bin/ls" key=(null)
type=CWD msg=audit(1381841035.653:30):  cwd="/mnt/hgfs/share"
type=PATH msg=audit(1381841035.653:30): item=0 name="1.txt" inode=30962247438286374 dev=00:15 mode=0100777 ouid=1000 ogid=1000 rdev=00:00
投稿者 0 件のコメント:
登録: 投稿 (Atom)