[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditctl Question



On Wednesday 21 March 2007 13:03, Khoa V. Nguyen wrote:
> I want to be able to audit failed access to /etc/inittab but I don't think
> the current auditctl features able to accomplish it.
>
> auditctl -a watch,always /etc/inittab -F success=no
>
> This would be a syntax error..but
>
> auditctl -a exit,always -w /etc/inittab -F success=no
>
>
> How can I do it?

It depends on the kernel you are running on. For 2.6.19 and higher, you'd just 
do:

auditctl -a exit,always -F perm=rwa -F path=/etc/inittab -F success=no

If you have an earlier kernel, you are limited to -S open -F success=no and 
you could limit its scope by using -F devmajor and devminor.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]