auditd/auditctl SLED10
Lane Williams
lane.williams at jhuapl.edu
Thu Jul 20 19:44:07 UTC 2006
I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
anyone could give me an idea of how to log when someone tries to open a
file which they do not have access to.
I've tried the example
auditctl -a exit,always -S open -F success=0
When I do this I get nothing in the logs. But if I add the following
auditctl -a entry,always -S open
I get all of the entries and the open failures when there is "No such
file or directory", but no access violations...
Thanks for any help,
Lane
More information about the Linux-audit
mailing list