Hello,
 
I need to log file edit attempts when a user doesn't have permission to edit a specific file. For example, a non-root user attempts to edit "/var/log/audit/audit'log" which has a permission setting of 640. Although the user won't be able to edit the file (permission denied) - I'd still like to log the attempt. Here's a snippet of my audit.rules file:
 

## unsuccessful creation

-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation

-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation

## unsuccessful open

-a exit,always -S open -F exit=-13 -k open

## unsuccessful close

-a exit,always -S close -F exit=-13 -k close

## unsuccessful modifications

-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods

-a exit,always -S renameat -F exit=-13 -k mods

## unsuccessful deletion

-a exit,always -S rmdir -S unlink -F exit=-13 -k delete

-a exit,always -S unlinkat -F exit=-13 -k delete

## unauthorized change directory (cd)

-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

## Watch Files

-w /var/log/audit/audit.log -p rwxa -k audit-log2

 

Thanks

-Jim