[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

auditd/auditctl SLED10



I am using audit 1.1.3 under SuSE Enterprise 10.  I was wondering if
anyone could give me an idea of how to log when someone tries to open a
file which they do not have access to.

I've tried the example

auditctl -a exit,always -S open -F success=0

When I do this I get nothing in the logs.  But if I add the following

auditctl -a entry,always -S open 

I get all of the entries and the open failures when there is "No such
file or directory", but no access violations...

Thanks for any help,

Lane


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]