no logging of successful events?
Steve Grubb
sgrubb at redhat.com
Mon Aug 18 20:07:55 UTC 2008
On Monday 18 August 2008 15:39:01 Brian LaMere wrote:
> (boo for me not hitting reply-all before)
>
> Fair enough, was just basing from the man page which says:
>
> " To see unsuccessful open call's:
>
> auditctl -a exit,always -S open -F success!=0"
I think that was patched at some point. The current man page in svn is right.
But I think I should touch it up a bit.
> Note that I actually got the line from the DoD requirements, which give
> that line - if that line isn't present, then they determine that "the
> audit system is not configured to audit failed attempts to access files
> and programs."
The recent versions of the audit system ships with a stig.rules file that give
what I believe to be a correct rule set. What the official docs say to do is
another thing. :) Take a look at that file and see how I do the unauthorized
file access.
HTH
-Steve
More information about the Linux-audit
mailing list