[RFC] NISPOM audit rules - first draft
Steve Grubb
sgrubb at redhat.com
Fri Apr 13 18:31:39 UTC 2007
On Friday 13 April 2007 14:24, Timothy R. Chavez wrote:
> Wow... finally just getting to these. Just a couple quick comments below.
The nispom.rules file has been updated several times since this was initially
posted.
> > ## unsuccessful modifications
> > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
> > -a exit,always -S renameat -F exit=-13 -k mods
> > -a exit,always -F perm=a -F exit=-13 -k mods
>
> No system call specified...
That's what the magic of "perm" is. It selects all syscalls that match the
changing of attribute.
-Steve
More information about the Linux-audit
mailing list