Audit rules use of flags.
Walt Powell
wpowell9 at columbus.rr.com
Thu Feb 22 02:48:33 UTC 2007
Hello all:
I have a requirement to audit/log all failed attempts to access files. I entered the following line in audit.rules:
-w exit,always -S open -F success!=0
and audit flags all file exits regardless of success. When I try:
-w exit,possible -S open -F success!=0
it does NOT flag any file openings, including failure. I am curious if:
-w exit,never -S open -F success=0
but I suspect that the 'first hit takes it' nature of audit-1.0.12 will make the flag at the end useless.
So I suppose the question is - do I need to put the -F flag before the -w portion of the entry, or is there some other way to meet the requirement?
Thank you all for any insight.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070221/49fdc421/attachment.htm>
More information about the Linux-audit
mailing list