NOVELL FORUMS
Support Home Communities Home   FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 23-Jul-2008, 06:11 AM
Member
  
Join Date: Apr 2008
Posts: 96
needee is on a distinguished road
Default help me configure auditd
I want to audit all the read/write operations in /tmp, I did the following
# cat /etc/auditd.rules
-D
-b 256
-e 1
-w /tmp -p rwx -k CFG_tmp

# chkconfig auditd on
# rcauditd on

Now I login as user "faisal", just create a file and delete that file under /tmp
$ cd /tmp
$ touch new.txt
$ rm new.txt

then run the following command..its a very massive/verbose/detailed ouptut... I dont want all those details in red color ... all of them are useless for me

please help me configure the audit deamon as i want ;)

# ausearch -k CFG_tmp -i
----
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:37.578:1466) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:37.578:1466) : arch=x86_64 syscall=open success=yes exit=0 a0=7fff00e4e52c a1=941 a2=1b6 a3=0 items=2 ppid=23629 pid=23662 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=touch exe=/bin/touch key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:40.778:1467) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:40.778:1467) : arch=x86_64 syscall=unlink success=yes exit=0 a0=7fffafba653a a1=2 a2=2 a3=0 items=2 ppid=23629 pid=23664 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=rm exe=/bin/rm key="CFG_tmp"



type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=1 name=/tmp/sv94.tmp inode=205821 dev=08:06 mode=dir,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.801:1470) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.801:1470) : arch=i386 syscall=rmdir per=400000 success=yes exit=0 a0=ffb6384c a1=f6d1a158 a2=f756c5d0 a3=0 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=1 name=/tmp/OSL_PIPE_0_SingleOfficeIPC_6474b982b398a01e2cba5b2 c351464e inode=205779 dev=08:06 mode=socket,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.865:1471) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.865:1471) : arch=i386 syscall=unlink per=400000 success=yes exit=0 a0=8154e24 a1=2 a2=f756c5d0 a3=8154e20 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.397:1472) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.397:1472) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23808 pid=23814 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1473) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1473) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffcb6dde0a a1=7fffcb6dde0a a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1474) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1474) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:34.925:1475) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:34.925:1475) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23839 pid=23845 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.013:1476) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.013:1476) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffeb274e0a a1=7fffeb274e0a a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.017:1477) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.017:1477) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.412:1478) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.412:1478) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23878 pid=23884 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.504:1479) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.504:1479) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fff4a099e0a a1=7fff4a099e0a a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.508:1480) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.508:1480) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
Reply With Quote
 

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -6. The time now is 07:34 PM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

SEO by vBSEO 3.1.0