Hello all:
I have a requirement to audit/log all failed
attempts to access files. I entered the following line in
audit.rules:
-w exit,always -S open -F success!=0
and audit flags all file exits regardless of
success. When I try:
-w exit,possible -S open -F success!=0
it does NOT flag any file openings, including
failure. I am curious if:
-w exit,never -S open -F success=0
but I suspect that the 'first hit takes it' nature
of audit-1.0.12 will make the flag at the end useless.
So I suppose the question is - do I need to put the
-F flag before the -w portion of the entry, or is there some other way to meet
the requirement?
Thank you all for any
insight.