RE: Audit config for NISPOM req's

The auditctl man page for audit-1.0.14-1EL4 says the following (which appears to be incorrect): To see unsuccessful open calls's: auditctl -a exit,always -S open -F success!=0 but an email you sent out a bit ago says this: This makes a lot more sense, and I assume that this is the correct syntax. You might want to check to see if this has already been corrected in the man pages for upcoming releases. I was hoping that this setting by itself (-a exit,always -S open -F success!=1) would show me any failed file opens on the whole machine, so I don't understand why I don't get any audit events with this configuration. I thought that maybe I also have to have a watch set on a file, then tell auditd which events I want to collect with the "-a exit,always -S open -F success!=1" setting, but that didn't do it either. Here's what I was testing /etc/audit.rules : -D -w /etc/nsswitch.conf -rwxa -a exit,always -S open -F success!=1 Then service auditd reload service auditd rotate autail -f /var/log/audit/audit.log Then in another window, as a non-prived user rm /etc/nsswitch.conf cat /dev/null > /etc/nsswitch.conf chown karen /etc/nsswitch.conf chmod 777 /etc/nsswitch.conf cat somefile >> /etc/nsswitch.conf I get lots of permission denied messages at the command line, but nothing in the audit log relating to karen messing around with /etc/nsswitch.conf. I must still be missing some basic understanding of how this all works. Any helpful suggestions would be greatly appreciated. Karen Wieprecht Thanks, Karen Wieprecht