Auditing Problem

James Candalino · ‎07-24-2004

I have auditing turned on the monitor delete events as well as chmods. There are a couple of problems I have found.

1. While it does monitor for rmdir's just fine, I don't see where it is monitoring for rm's. If this is under a different name (ie. the system call) what is it?

2. When it displays the "Path" to the file that was modified/deleted, it only shows what the user typed in. If they don't specify a full path, the information is pretty much useless. Anyone know if it is possible to have auditing always display a full path?

3. Is it possible to monitor events/system calls from root. I noticed a bunch of events created by User=????????. Is that root or the system itself?

Any insight that can be provided would be very much appreciated.

Darren Prior · ‎07-25-2004

Hi,

2. I believe you can only have the path as typed by the user. Perhaps monitoring chdir() may help.

3. Yes, root can be audited - use audusr to check whether this has been set. The user=?????? comes from situations where the user cannot be determined. I think login might be one of these situations, as the user isn't known when the command starts.

regards,

Darren.

Calm down. It's only ones and zeros...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Auditing Problem

Auditing Problem

Re: Auditing Problem