Ah, I see my mistake. I was using 'possible' instead of 'always'. Thanks for your help!
-- Eric -- Steve Grubb sgrubb-at-redhat.com |redhat-audit-mailing-list| wrote: > On Wednesday 06 June 2007 14:40, Eric Howard wrote: >> I have been tasked to generate test cases to validate the proper execution >> of particular syscall audit flags. > > I think HP open sourced a test suite that tests the audit system: > http://sourceforge.net/projects/audit-test > >> In most cases I have succeeded in triggering audit log entries. However, I >> have been unable to trigger audit entries for the 'symlink call' My test >> cases are generated by a shell script that execute commands to trigger the >> relevant calls. In my test case I created a hard-link and a soft-link >> using /bin/ln. Running strace indicated that the syscall was definitely >> made but 'ausearch -sc symlink' shows nothing. I am using >> audit-1.0.15-3.EL4. Any insight into this problem would be appreciated. > > Looking at the syscalls, it should trigger on something like: > > auditctl -a always,exit -S symlink > > Or were you testing it another way? > > -Steve > -------------------------------------- Protect yourself from spam, use http://sneakemail.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
