Audit rules use of flags.
Steve Grubb
sgrubb at redhat.com
Mon Feb 26 16:04:27 UTC 2007
On Wednesday 21 February 2007 21:48, Walt Powell wrote:
> I have a requirement to audit/log all failed attempts to access files.
If you are on x86_64, I think you'll need a new kernel. There was a problem in
exit codes and sign extention during promotion.
> I entered the following line in audit.rules:
>
> -w exit,always -S open -F success!=0
>
> and audit flags all file exits regardless of success.
See below. I think you can get this with 2 rules until you can update your
kernel.
> When I try:
>
> -w exit,possible -S open -F success!=0
>
> it does NOT flag any file openings, including failure.
Possible only collects information so that if another rule actually triggers
an event, it has everything on hand to give a full context dump. Generally,
you do not need "possible" rules.
> I am curious if:
>
> -w exit,never -S open -F success=0
>
> but I suspect that the 'first hit takes it' nature of audit-1.0.12 will
> make the flag at the end useless.
Yes, but you should be able to follow that rule with:
-w exit,always -S open
which means the success !=0 case hits the second rule.
> So I suppose the question is - do I need to put the -F flag before the -w
> portion of the entry, or is there some other way to meet the requirement?
No, you have to use syscall auditing for this and not watches.
-Steve
More information about the Linux-audit
mailing list