Too many failed open syscalls
Steve Grubb
sgrubb at redhat.com
Wed Feb 9 22:20:44 UTC 2011
On Wednesday, February 09, 2011 05:05:52 pm Todd Heberlein wrote:
> On Feb 9, 2011, at 10:17 AM, Steve Grubb wrote:
> > They go on with a table which essentially means you need to audit almost
> > everything. But you only need to worry about the failed access.
>
> Translation: You only need to worry about failed attack. Ignore the
> successful attacks.
There are certain system objects where you have to audit both success and failure,
e.g. /etc/shadow. However, if a file's permissions are 0644, do you really need to
audit that the file was accessed, e.g. /etc/localtime?
-Steve
More information about the Linux-audit
mailing list