On Wednesday 13 December 2006 18:16, Michael W Folsom wrote: > 1) If someone tries to access an object (file, directory, program) that > they don't have rights to the event needs to be recorded
-a always,exit -S open,opendir,execve -F exit=-13 This does it for 3 common syscalls. You can do it for any syscall you want. You can use strace to figure out the syscalls you want. > 2) if someone logs into a system and su's to another user or series of > users their actions need to be traceable to the original login user's > id It does this. There is a process attribute, loginuid, that keeps track of this. The audit events have it as the auid field. We've already preconfigured RHEL4/5 and FC4->rawhide to handle this. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
