I am using audit 1.1.3 under SuSE Enterprise 10. I was wondering if anyone could give me an idea of how to log when someone tries to open a file which they do not have access to.
I've tried the example auditctl -a exit,always -S open -F success=0 When I do this I get nothing in the logs. But if I add the following auditctl -a entry,always -S open I get all of the entries and the open failures when there is "No such file or directory", but no access violations... Thanks for any help, Lane -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
