Re: Why doesn't chown produce an event

Wednesday, 2 May 2007

On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
...
 Greetings,

 I have the following rule in audit.rules

 -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F 
 key=mod

 If I log in as a typical user and try "chown bob /etc/shadow" I don't get 
 an event produced, however if I try "chmod 666 /etc/shadow" I do.

 What am I missing here?

 Thanks! 
You need to give 1 systemcall per line I guess.

-a exit,always -S chmod -F success!-1 -F key=mod
-a exit,always -S chown -F success!-1 -F key=mod
-a exit,always -S lchown -F success!-1 -F key=mod
-a exit,always -S fchown -F success!-1 -F key=mod

Ciao, Marcus

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: Why doesn't chown produce an event