Re: auditing access to directories with restricted access

I am trying to set up some audit rules to monitor failed accesses to a given folder - here is the basics: -a exit,always -S open -k fk_open -F dir=/recorder/ -F success=0 Here are the permissions on the folder: drwxrwx--- 3 red red 4096 Jun 4 10:39 recorder and the contents: drwxrwx--- 3 red red 4096 Jun 4 12:05 . drwxr-xr-x 21 root root 1024 Jun 4 10:38 .. drwx------ 2 root root 16384 Apr 24 15:49 lost+found -rw-rw---- 1 root root 6 Jun 4 12:05 test.txt If I run as user "red" ie. Who does have permission to write to this folder but then try and replace the "text.txt" file (which is owned by root) I get: reduser@unit:~ echo test >test.txt -sh: can't create test.txt: Permission denied Along with a corresponding entry in the audit log which is what I'm expected. However if I run as another use which does not have permission to access this folder and try the same thing: blackuser@unit:~ echo test >/recorder/test.txt -sh: can't create /recorder/test.txt: Permission denied But I don't get anything captured in the audit log. I've tried a few incarnations of the rule, including setting up similar arrangements and having the daemon monitor the parent folder (thinking the access will show up there) but I can't get this scenario to be detected by the audit daemon. If I remove the file system filter (ie. So I see all failed accesses) then it does get logged but this generates way too much traffic to be of much use. I've also done an strace call around the command and verified that (in this latter scenario) is it definitely the open call which is generating the permission denied error and it is. This is using audit-2.3.6 on a 3.2.55 kernel. Any help appreciated,