Logging failed open() calls on /var/log/audit/audit.log
Timothy R. Chavez
tinytim at us.ibm.com
Tue Jun 27 21:32:46 UTC 2006
On Tue, 2006-06-27 at 17:21 -0400, Steve Grubb wrote:
> On Tuesday 27 June 2006 17:15, Amy Griffis wrote:
> > If you would like to see a record in this case, you must add a watch
> > for /var/log/audit.
>
> I don't see a record watching this either.
>
> -Steve
Maybe because you're executing in the system-call attempting the access
of audit.log and it's in this context the permissions to do so are
checked. Been awhile, but looking at fs/open.c:do_sys_open, should
there be an fsnotify_open() hook in the error path as well?
-tim
More information about the Linux-audit
mailing list