Greetings,

I have the following 2 audit rules set up:

-a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
-a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1

I have a directory structure like the following:

(13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
total 257
drwx------. 3 root root 4096 Nov 7 12:46 .
drwxr-xr-x. 15 root root 262144 Nov 7 12:50 ..
drwx------. 2 root root 4096 Nov 7 12:46 test2

Essentially, directory "/gpfs/fs1/test/" is owned by root and has permissions 700. The subdirectory underneath it (with path /gpfs/fs1/test/test2) is also owned by root and has permissions 700.

When I have a non-root user attempt to list the contents of directory "/gpfs/fs1/test/" I receive an audit message for the denied access. However, when the non-root user attempts to list the contents of the subdirectory (/gpfs/fs1/test/test2), there is no audit message generated. Does anyone know why this is and how I get audit messages in both cases?


Thanks,

John

John T. Olson, Ph.D., MI.C., K.EY.
Master Inventor, Software Defined Storage
957/9032-1 Tucson, AZ, 85744
(520) 799-5185, tie 321-5185 (FAX: 520-799-4237)
Email: jtolson@us.ibm.com
Follow me on twitter: @John_T_Olson

"Do or do not. There is no try." - Yoda

Olson's Razor:
Any situation that we, as humans, can encounter in life
can be modeled by either an episode of The Simpsons
or Seinfeld.