Hi,
When playing/learning with auditd, I wanted to log events when apache fails to access
file.
Here's the rules I used in Debian Wheezy (same on Jessie and and current latest
Testing):
-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
/var/www/server-status file is non-existant, it's just alias for accessing mod_status
information (
http://.../server-status path is accessed by munin regularly) so I wanted to minimise
noise by that exit,never rule.
But I can't get it work.
I have more in-depth post in Debian forums [1] if that helps, but in short, should this
work in general?
Thanks!
[1]
http://forums.debian.net/viewtopic.php?f=5&t=128092