Greetings,
I have the following 2 audit rules set up:
-a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
-a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1
I have a directory structure like the following:
(13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
total 257
drwx------. 3 root root 4096 Nov 7 12:46 .
drwxr-xr-x. 15 root root 262144 Nov 7 12:50 ..
drwx------. 2 root root 4096 Nov 7 12:46 test2
Essentially, directory "/gpfs/fs1/test/" is owned by root and has
permissions 700. The subdirectory underneath it (with
path /gpfs/fs1/test/test2) is also owned by root and has permissions 700.
When I have a non-root user attempt to list the contents of directory
"/gpfs/fs1/test/" I receive an audit message for the denied access.
However, when the non-root user attempts to list the contents of the
subdirectory (/gpfs/fs1/test/test2), there is no audit message generated.
Does anyone know why this is and how I get audit messages in both cases?
Thanks,
John
John T. Olson, Ph.D., MI.C., K.EY.
Master Inventor, Software Defined Storage
957/9032-1 Tucson, AZ, 85744
(520) 799-5185, tie 321-5185 (FAX: 520-799-4237)
Email: jtolson(a)us.ibm.com
Follow me on twitter: @John_T_Olson
"Do or do not. There is no try." - Yoda
Olson's Razor:
Any situation that we, as humans, can encounter in life
can be modeled by either an episode of The Simpsons
or Seinfeld.