auditctl Question
Steve Grubb
sgrubb at redhat.com
Thu Mar 22 13:57:56 UTC 2007
On Wednesday 21 March 2007 13:03, Khoa V. Nguyen wrote:
> I want to be able to audit failed access to /etc/inittab but I don't think
> the current auditctl features able to accomplish it.
>
> auditctl -a watch,always /etc/inittab -F success=no
>
> This would be a syntax error..but
>
> auditctl -a exit,always -w /etc/inittab -F success=no
>
>
> How can I do it?
It depends on the kernel you are running on. For 2.6.19 and higher, you'd just
do:
auditctl -a exit,always -F perm=rwa -F path=/etc/inittab -F success=no
If you have an earlier kernel, you are limited to -S open -F success=no and
you could limit its scope by using -F devmajor and devminor.
-Steve
More information about the Linux-audit
mailing list