AUDIT Rules
Curtis, TS Troy @ IS
Troy.S.Curtis at L-3Com.com
Thu May 24 13:03:10 UTC 2007
I believe it is important to also not that the field values:
-F success=0 -F success!=0
Effectively disable the rule. A rule is generated if ALL the
expressions match. This set of rules says "generate an event when the
call is BOTH successful AND unsuccessful" which of course cannot happen.
If your desire to have all chmod and fchmod calls, both successful and
unsuccessful, just leave off the '-F' fields.
Note that Steve's rule only monitors *unsuccessful* chmod and fchmod
calls.
Troy Curtis, Jr.
-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
Sent: Wednesday, May 23, 2007 2:10 PM
To: linux-audit at redhat.com
Subject: Re: AUDIT Rules
On Wednesday 23 May 2007 15:04, Paul Whitney wrote:
> -a exit,possible -S chmod -F success=0 -F success!=0 -a exit,possible
> -S fchmod -F success=0 -F success!=0
-a exit,always -S chmod -S fchmod -F success=0
You can combine the syscalls into 1 rule.
-Steve
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list