audit.56 merged with audit-2.6.git
Timothy R. Chavez
tinytim at us.ibm.com
Thu Jun 9 15:13:57 UTC 2005
On Thursday 09 June 2005 08:54, Steve Grubb wrote:
> No audit records are generated when I made the file world readable. I suppose
> you could hook the right syscalls, but that would provide way too much info.
> The reason I ask is Table 1 of CAPP, FMT_MSA.3 says that we should be able
> to audit all modifications to the initial value of security attributes &
> modifications to permissive or restrictive rules. Maybe I misunderstand the
> application of this requirement, but that seems like file permissions.
Have you tried using the syscall (inode,dev)-based filter rules?
-tim
More information about the Linux-audit
mailing list