[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditd/auditctl SLED10



There was a bug at one point where the '-F success=0' didn't
work but '-F success!=1' did work.  You might want to try that
as a workaround.  You might also try an strace on whatever program
you're using to test with to make sure there there isn't an access()
system call before the open.  If there is, then you'll want to audit
access failures.

-- ljk

Lane Williams wrote:
> I am using audit 1.1.3 under SuSE Enterprise 10.  I was wondering if
> anyone could give me an idea of how to log when someone tries to open a
> file which they do not have access to.
> 
> I've tried the example
> 
> auditctl -a exit,always -S open -F success=0
> 
> When I do this I get nothing in the logs.  But if I add the following
> 
> auditctl -a entry,always -S open 
> 
> I get all of the entries and the open failures when there is "No such
> file or directory", but no access violations...
> 
> Thanks for any help,
> 
> Lane
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]