Re: no logging of successful events?
On Monday 18 August 2008 15:39:01 Brian LaMere wrote:
(boo for me not hitting reply-all before)
Fair enough, was just basing from the man page which says:
" To see unsuccessful open call's:
auditctl -a exit,always -S open -F success!=0"
I think that was patched at some point. The current man page in svn is right.
But I think I should touch it up a bit.
Note that I actually got the line from the DoD requirements, which
give
that line - if that line isn't present, then they determine that "the
audit system is not configured to audit failed attempts to access files
and programs."
The recent versions of the audit system ships with a stig.rules file that give
what I believe to be a correct rule set. What the official docs say to do is
another thing. :) Take a look at that file and see how I do the unauthorized
file access.
HTH
-Steve