auditd/auditctl SLED10
Linda Knippers
linda.knippers at hp.com
Thu Jul 20 20:08:35 UTC 2006
There was a bug at one point where the '-F success=0' didn't
work but '-F success!=1' did work. You might want to try that
as a workaround. You might also try an strace on whatever program
you're using to test with to make sure there there isn't an access()
system call before the open. If there is, then you'll want to audit
access failures.
-- ljk
Lane Williams wrote:
> I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if
> anyone could give me an idea of how to log when someone tries to open a
> file which they do not have access to.
>
> I've tried the example
>
> auditctl -a exit,always -S open -F success=0
>
> When I do this I get nothing in the logs. But if I add the following
>
> auditctl -a entry,always -S open
>
> I get all of the entries and the open failures when there is "No such
> file or directory", but no access violations...
>
> Thanks for any help,
>
> Lane
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list