Below are some sample audit records generated by device_allocator. Klaus, are there any more audit records that I need to be checking for other than what I've included below?
// admin adds a user accessible device to the configuration file # dev_allocator_config -a -n cdrom -f /dev/cdrom -c cdrom -m SystemLow -x SystemHigh type=USER msg=audit(1146766083.884:9290): user pid=14757 uid=0 auid=0 msg='devmgr: device="/dev/cdrom" context="system_u:object_r:unallocated_device_t:SystemLow", device initialized to unallocated state' type=USER msg=audit(1146766083.884:9291): user pid=14757 uid=0 auid=0 msg='devmgr: configuration file altered' // allocate device $ dev_allocator -a /dev/cdrom type=USER msg=audit(1146766179.402:9293): user pid=14766 uid=0 auid=501 msg='devmgr: device="/dev/cdrom" context="system_u:object_r:removable_device_t:SystemLow", device allocated' // Try to allocate the device that is already allocated $ dev_allocator -a /dev/cdrom devalloc_alloc: Device is currently allocated. (no new audit record) // unallocate the device $ dev_allocator -u /dev/cdrom type=USER msg=audit(1146513843.584:8139): user pid=27579 uid=0 auid=501 msg='devmgr: device="/dev/cdrom" context="system_u:object_r:unallocated_device_t:SystemLow", device unallocated' // allocate the device again $ dev_allocator -a /dev/cdrom type=USER msg=audit(1146513930.377:8140): user pid=27586 uid=0 auid=501 msg='devmgr: device="/dev/cdrom" context="system_u:object_r:removable_device_t:SystemLow", device allocated' // admin deletes the device from the configuration file # dev_allocator_config -d -n cdrom -f /dev/cdrom type=USER msg=audit(1146766993.245:9296): user pid=14829 uid=0 auid=0 msg='devmgr: device="/dev/cdrom" context="system_u:object_r:removable_device_t:SystemLow", device released from management' type=USER msg=audit(1146766993.249:9297): user pid=14829 uid=0 auid=0 msg='devmgr: configuration file altered' // user tries to allocate a device that is not currently a user accessible device in the configuration file $ dev_allocator -a /dev/cdrom dev_allocator: No devices are configured. (no new audit record) -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
