Re: auditd/auditctl SLED10
There was a bug at one point where the '-F success=0' didn't
work but '-F success!=1' did work. You might want to try that
as a workaround. You might also try an strace on whatever program
you're using to test with to make sure there there isn't an access()
system call before the open. If there is, then you'll want to audit
access failures.
-- ljk
Lane Williams wrote:
I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
anyone could give me an idea of how to log when someone tries to open a
file which they do not have access to.
I've tried the example
auditctl -a exit,always -S open -F success=0
When I do this I get nothing in the logs. But if I add the following
auditctl -a entry,always -S open
I get all of the entries and the open failures when there is "No such
file or directory", but no access violations...
Thanks for any help,
Lane
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit